A Study on Threat Analysis and Risk Assessment Based on the "Asset Container " Method and CWSS

In recent years, legislation and standardization of cyber security management for cyber-physical systems such as automotive systems have been progressing steadily. ISO/SAE 21434, published in 2021, addresses the management and analysis of electrical systems within road vehicles from a cybersecurity perspective. It also recommends some methods for the threat analysis and risk assessment (TARA) process. However, there are two problems in the evaluation methods derived from conventional security analysis approaches. One problem is related to the insufficient evaluation of attack feasibilities for cyber-physical systems by the CVSS-based approach. Another problem is the unclear relationship between damage factors in analyzing the impact of damage to each asset. In this paper, we focus on the TARA process, and apply an "asset container " method for threat classification, proposed by the authors at DECSoS 2017, and a CWSS-based risk quantification method. Moreover, we can also add some perspective to improve risk evaluation suitable for automotive systems. Following our past studies on methodologies to evaluate the risk of such special cyber-physical systems, we can quantify risks limited to some cyber-physical systems, such as direct access attacks to in-vehicle networks.