Information Security Research Group

Information System Security Risk Management in the Autonomous Driving Vehicles

Supervisors: Abasi-Amefon O. Affia and Raimundas Matulevicius (rma [ät] ut [dot] ee)

Contact: rma ät ut dot ee

Autonomous driving vehicles characterise a complex cyber-physical system. It uses a network, sensors, and electronic control unit (ECU) to control functions of the vehicle and to connect this vehicle to other system entities (e.g., other connected vehicles, road side equipment, and traffic management centres). This way it exchanges the information about the car location, environment, direction, condition of driving, and information necessary for vehicle’s device control. However, such a system could suffer from various security risks. For example, an attacker could establish a connection between the attacker’s device and target vehicle. Security risks could be mitigated by limiting the VMM port functionality, by monitoring the incoming information and by blocking the abnormal requests/services. The goals of this topic are:

Explain the system and business assets in the autonomous driving vehicles;
Assess the security risks in the autonomous driving vehicles;
Analyse the trade-offs in order to define the best suited countermeasures to mitigate these risks.

To reach the above goals you would use the information systems security risk management approach combined with the model-driven and data analysis methods. The approach includes: (1) systematic explanation of the architecture of the connected autonomous vehicle, thus resulting in the models for the system and business assets; (2) definition of security needs (e.g., regarding the vehicle’s tire pressure data, fuel level data, braking service, gearing service, information in emergency situation, infotainment services, firmware, and etc.); (3) systematic analysis and estimation of the security risks using the data analysis methods; (4) reasoning and taking the security risk treatment decision; (5) elicitation of the security requirement; (6) recommendation to implement security controls regarding the secure network services, communication, data privacy, secure software/firmware, physical security, access control, data input, fault tolerance, and others.