Validating vehicleLang, a domain-specific threat modelling language, from an attacker and industry perspective

Abstract: Today’s vehicles are incredibly complex devices with vast networks of integratedelectronics and connectivity. This has led to improved safety, fuel efficiencyand comfort. However, with more electronics and connectivity comesan ever-increasing attack surface for adversaries to exploit. To help vehicle designersbetter understand the security risks and therefore reduce them, threatmodelling can be utilised. vehicleLang is a threat modelling language explicitlycreated for vehicles to model and simulate attacks to produce probabilisticattack graphs. An accompanying tool to vehicleLang called securiCADprovides a GUI to design and analyse vehicleLang models. This thesis analysesvehicleLang and securiCAD by modelling Scania vehicles and severalwell-known attacks, while also using insights gained from penetration testing.vehicleLang and securiCAD are found to be good proofs-of-concept but donot support the level of detail and features required to fully model the attacksurfaces in vehicles and be of use in a vehicle designers workflow. Thus thisthesis goes on to analyse and suggest features for vehicleLang and securiCADto achieve this.