Aligning Mitre attack framework with threat analysis and risk assesment (TARA) to support R155 compliance

Abstract: Cyber security is evidently more important in todays and tomorrows connected and autonomous vehicles because the increasing connectivity in these vehicles is widening the vehicle attack surface area. Without having a cyber-secure vehicle, it is not possible to argue that connected and autonomous vehicles are safe for all road-users. Two cyber security references UN R155 and ISO 21434 were released to help vehicle manufacturers tackle cyber security risks. To comply with R155 and ISO 21434, security engineers must conduct threat analysis and risk assessment (TARA) and conduct attack path analysis to identify the possible attack paths that could be used to exploit a connected vehicle. In this paper, the researcher looked into the MITRE attack framework which stores attackers’ tactics, techniques and procedures and the automotive attack matrix by VicOne to build and create knowledge that would be helpful in conducting attack path analysis. The researcher collaborated with AFRY to conduct an action research which resulted in the creation of a novel threat (TARA)catalogue from the Mitre attack framework, automotive attack matrix and the annex 5 threats in R155. The threat catalogue developed in the study is an initial step in providing structure to the process of conducting attack path analysis.