Security risk assessment framework for smart car using the attack tree analysis

As the automobile industry has recently adopted information technologies, the latter are being used to replace mechanical systems with electronically-controlled systems. Moreover, automobiles are evolving into smart cars or connected cars as they are connected to various IT devices and networks such as VANET (Vehicular Ad hoc NETwork). Although there were no concerns about the hacking of automobiles in the past, various security threats are now emerging as electronic systems are gradually filling up the interiors of many automobiles, which are in turn being connected to external networks. As such, researchers have begun studying smart car security, leading to the disclosure of security threats through the testing or development of various automobile security technologies. However, the security threats facing smart cars do not occur frequently and, practically speaking, it is unrealistic to attempt to cope with every possible security threat when considering such factors as performance, compatibility, and so forth. Moreover, the excessive application of security technology will increase the overall vehicle cost and lower the effectiveness of investment. Therefore, smart car security risks should be assessed and prioritized to establish efficient security measures. To that end, this study constructed a security risk assessment framework in a bid to establish efficient measures for smart car security. The proposed security risk assessment framework configured the assessment procedure based on the conventional security risk analysis model GMITS (ISO13335) and utilized 'attack tree analysis' to assess the threats and vulnerabilities. The security risk assessment framework used the results of an asset analysis, threat/vulnerability analysis, and risk analysis to finally assess the risk and identify the risk rating. Moreover, it actually applied the proposed framework to assess security risks concerning targeted increases in vehicle velocity and leakages of personal information, which are the leading threats faced by smart cars. Here, the framework was applied to vehicle velocity increase and personal information leakage, which are the leading threats.