Application of the Common Criteria to Building Trustworthy Automotive SDLC

1. 1/39 Application of the Common Criteria to Building Trustworthy Automotive SDLC Seungyeon Jeong, Sooyoung Kang, Seungjoo Kim sodon513@gmail.com Department of Automotive Convergence, Korea University bbang814@gmail.com CIST (Center for Information Security Technologies), School of Cybersecurity, Korea University skim71@korea.ac.kr *Corresponding Author CIST (Center for Information Security Technologies), School of Cybersecurity, Korea University

2. 2/39 1. Motivation 2. Related works 3. CIA-Level Driven Secure SDLC Framework 4. Trustworthy Automotive SDLC 5. Case Study 6. Conclusion

3. 3/39 1. Motivation

4. 4/39 1. Motivation ▪ History 1970s 2022 1980s 2015 2002 • The US government recognized that it is not possible to improve the security of products by penetrate & patch approach. • The US government recognized that the product development process itself must be systematically and strictly managed(a.k.a. security-by-design) in order to improve the security of products. ※ Security-by-design: to reduce the complexity of the product by considering security from the initial phase of development process to achieve trustworthiness of the product

5. 5/39 1. Motivation ▪ History ※ Secure SDLC(Secure Software/System Development Life Cycle): The development process containing the security-by-design philosophy ※ UNECE (United Nations Economic Commission for Europe) • In the industry, Microsoft and IBM have been interested in secure SDLC at first and spread it to the industry. • The Department of Defense(DoD) demands an evaluation and improvement of cybersecurity of weapons systems based on operational requirements such as the Risk Management Framework(RMF). • UNECE requires the application of secure SDLC on vehicles by enacting UNECE automotive cybersecurity regulation(UNECE regulation). 1970s 2022 1980s 2015 2002

6. 6/39 1. Motivation ▪ From the early 1970s, the U.S. government has begun to recognize that it is impossible to improve the security of products only by penetration test. • They recognized that the development process should be systematically and strictly managed. ▪ From the 1980s, various standards related to security-by-design. • Development methodologies and evaluation and procurement system has begun to be published. ▪ In 2013, RMF was released aiming to manage the development and evaluation/procurement of computer systems of military. • According to the DoD Cyber Strategy announced in 2015, the scope of RMF has been expanded from computer systems to advanced weapons systems. ▪ In 2020, UNECE regulation is enacted, and from 2022 vehicles that do not comply with it cannot be exported to Europe. We propose a specific security-by-design methodology that can be applied in automotive development by using Common Criteria(CC) standard. Published standards or guidelines do not provide a detailed methodology of security-by-design, so it is very difficult to use them in the actual field.

7. 7/39 2. Related works

8. 8/39 2. Related works ▪ Research papers • We analyzed 66 research papers related to automotive security development. ✓ Papers published from 2010 to 2020, and only papers published in 4 major digital library of (i) ACM (ii) IEEE (iii) Springer, and (iv) Elsevier. ✓ Papers with 'Automotive' or 'CPS' as a keyword and have the subject of the entire process('Process’, 'Lifecycle’, 'Development'), some phases('Requirements analysis') or some activities('Fuzz test'). Phase Description Num Req/Des Requirement Analysis/ Design 56 Imp/ Veri Implementation/ Verification 5 Rel/ Oper Release/ Operation 1 Entire Entire process 4 Total 66 Req/Des(auto), 14 Imp/Veri(auto), 3 Rel/Oper(auto), 1 Entire(auto), 5 Req/Des Imp/Veri Rel/Oper Entire 0 10 20 30 40 50 60 Phase Number of studies CPS security development studies CPS Automotive ※ CPS(Cyber Physical System)

9. 9/39 2. Related works ▪ Research papers(Examples) • Setting Expectations for CC in the Software Development Lifecycle(ICCC, 2008) ✓ This research performed mapping between SDLC and CC but does not present specific SDLC activities. • Verification of IVI Over-The-Air using UML/OCL (ICCC, 2019) ✓ This research mentioned secure SDLC, but only covers the requirements analysis and design phases.

10. 10/39 2. Related works ▪ Secure SDLC standards & guidelines • Well-known secure SDLC standards and guidelines are extended and utilized in various fields. Software Microsoft SDL Secure SDLC developed by Microsoft and applied directly to operating systems and database products Not include disposal phase Lack of activity for implementation phaseNIST SSDLC Secure SDLC on Software and hardware developed by NISTSystem Best practices OWASP CLASP Secure SDLC to strengthen security in the early phases with 5 views and 24 activities Lack of information because the project period expired Vehicles SAE J3061 Secure SDLC guideline suggesting ways to ensure the security of automotive development Not include training and disposal phase ※ OWASP(Open Web Application Security Project), CLASP(Comprehensive, Lightweight Application Security Process), SAE(Society of Automotive Engineers) Target Secure SDLC Description Cons ※ SDL(Software Development Lifecycle), NIST(National Institute of Standards and Technology), SSDLC(Secure System Development Life Cycle)

11. 11/39 2. Related works ▪ Automotive Cybersecurity Regulation • UNECE is enacting automotive cybersecurity regulation to ensure security for the entire development process. ✓ Expected to take effect for new vehicles from 2022 and for the existing vehicles from 2024.

12. 12/39 2. Related works ▪ Automotive Cybersecurity Regulation • UNECE regulation is expected to expand as UAM development becomes active in the future. • Hyundai Motor Group has started to develop an innovative Urban Air Mobility(UAM) infrastructure. ✓ They decided to invest $1.5 billion over the next five years in infrastructure such as private air vehicles(PAVs) and hubs for UAM. • Global companies expect that the UAM market will experience explosive growth over the next 20 years. ✓ The Porsche Group predicts that the UAM market will grow rapidly from 2025, and the market demand will reach about 16,000 units worldwide by 2035. ✓ Morgan Stanley, an investment bank of the US, predicts that the autonomous mobility market, including UAM, will reach $1.5 trillion by 2040.

13. 13/39 3. CIA-Level Driven Secure SDLC Framework

14. 14/39 3. CIA-Level Driven Secure SDLC Framework ▪ Security-by-Design • To reduce the complexity of a product by considering security from the early phases of development(such as requirements analysis or design) and consequently to achieve the product's trustworthiness. • The trustworthiness is to achieve all aspects of the correctness, safety, and security of the product's functions. ▪ CIA • Trustworthiness which is the goal of security-by-design can be named after CIA. Functional Correctness Safety Integrity Security Assurance + + CIA-Level Driven Secure SDLC Framework

15. 15/39 3. CIA-Level Driven Secure SDLC Framework ▪ CIA-Level Driven Secure SDLC Framework(CIA-Level Framework) • Security-by-design methodology integrating secure SDLCs and evidence- based approaches • It combines 10 types of secure SDLCs and 3 types of evidence-based approaches. • It concretizes the secure SDLC to derive related processes, security activities, detailed security activities, and evidence templates. ※ Evidence-based approaches: A standard that provides a concrete way of performing a process by presenting detailed requirements(such as evidences, detailed activities, etc.) for each activities of the development process ※ CC(Common Criteria, ISO 15408) ※ PIMS(Privacy Impact Management System, ISO 27701) ※ ISMS(Information Security Management System, ISO 27001) • Microsoft SDL • NIST SSDLC • CSA SDF • SAFECode • MgGraw Touchpoints • OWASP CLASP • Cigital BSIMM • OWASP SAMM • NIST RMF • SAE J3061 Secure SDLC • CC • PIMS Evidence-based approach • ISMS Customized secure SDLC Process, Activities, Evidence Templates CIA-Level Framework

16. 16/39 3. CIA-Level Driven Secure SDLC Framework ▪ CIA-Level Framework • It quantitatively analyzes the difference in the level of secure SDLC process between enterprises and their competitors. • It can be useful when the enterprise wants to build secure SDLC in the actual field by easily eliciting requirements(security activities, detailed security activities, and evidence templates) to build secure SDLC at the desired level. CIA-Level Extractor Customized Secure SDLC Constructor Activity-Evidence Mapper Standards, Laws, Rules, and Regulations Customized Secure SDLC Process, Activities, Detailed Activities, Evidence Templates • Standards, Laws, Rules, and Regulations: Common Criteria, ISMS, PIMS, etc. • Activity-Evidence Mapper: Mapping Secure SDLC activities and evidences by CIA-Level Target Market

17. 17/39 ▪ Module that maps secure SDLCs and evidence-based approaches • It considers 10 types of secure SDLC standards and guidelines that are widely used in each field. ✓ It compares and analyzes those secure SDLCs and generalizes them into 10 phases. ✓ It derives 66 security activities by summing up all the security activities that need to be performed in each phase and removing redundant security activities. 3. CIA-Level Driven Secure SDLC Framework Activity-Evidence Mapper Analyze and normalize all the activities of each phase of every standard Integrate them into one single Secure SDLC Map secure SDLC and the SAR components of CC to the normalized activities Define detailed activities and build a template for each normalized activity Supplement the unmapped activities with other standards Standards, Laws, Rules, and Regulations Integrated Secure SDLC Process with detailed activities and evidence templates CC, CEM ISMS, PIMS, etc. ※ SAR(Security Assurance Requirements), CEM(Common Evaluation Methodology)

18. 18/39 3. CIA-Level Driven Secure SDLC Framework ▪ Integrated Secure SDLC Process – Security activities • CIA-Level Framework consists of a total of 66 activities for 10 phases and 28 evidence templates. 1. Security Training 2. Initiation 3. Requirements analysis 4. Acquisition 5. Design 6. Implement-ation 7. Verification 8. Production& Release 9. Operation 10. Disposal 1.1 Basic security training 3 9 9 3 12 3 8 7 7 5 1.2 Advanced security training 1.3 Plan training schedules 2.1 Project categorization 2.2 Role identification 2.3 Project tools selection 2.4 Security requirements source identification 2.5 Minimum quality level definition 2.6 Prepare compensation system for handling security issues 2.7 Plan project schedule 2.8 Security goals setting by field 2.9 Verifying consistency & completeness of goals 3.1 Estimating scope of project security analysis 3.2 Impact assessment for privacy 3.3 Impact assessment for business 3.4 Impact assessment for safety 3.5 Existing software assessment 3.6 Functional requirements elicitation 3.7 Security requirements elicitation 3.8 Conformity & conflict check on requirements by field 3.9 Verifying requirements based on security goals 4.1 Plan third-party components acquisition 4.2 Requirements definition for third- party components 4.3 Assessment & test for third-party components 10.1 Transfer & disposal procedure planning 10.2 Important information disposal 10.3 Media Erase 10.4 Hardware and software disposal 10.5 System shutdown 9.1 Monitoring planning 9.2 Continuous monitoring 9.3 Vulnerability report 9.4 Vulnerabilities assessment 9.5 Solution establishment 9.4 Vulnerability disclosure & patch/update 9.5 Configuration management after release 8.1 Final security review 8.2 Final privacy review 8.3 Requirements elicitation for production 8.4 Production procedure determination 8.5 Verification of production 8.4 Accident response planning 8.5 Security review for deployment procedure 7.1 Final security review 7.2 Final privacy review 7.3 Requirements elicitation for production 7.4 Production procedure determination 7.5 Verification of production 7.6 Accident response planning 7.7 Security review for deployment procedure 7.8 Security review for deployment procedure 5.1 Functions & design specification 5.2 Compliance with design best practices and principles 5.3 Structural design for the integration process 5.4 Asset identification 5.5 Create data flow diagram 5.6 Threat elicitation 5.7 Attack Library Collection 5.8 Risk analysis by field 5.9 Mitigation elicitation by field 5.10 Privacy analysis 5.11 Use case and misuse case identification 5.12 Verifying design based on requirements 6.1 Compliance with secure coding guidelines 6.2 Creation for deployment guide document and tools 6.3 Implementation verification according to design

19. 19/39 3. CIA-Level Driven Secure SDLC Framework ▪ Integrated Secure SDLC Process – Evidence templates • CIA-Level Framework consists of a total of 66 activities for 10 phases and 28 evidence templates. Phase Evidence Num. Phase Evidence Num. 1 Security Training • Security training plan • Training attendee list 2 6 Impleme- ntation • Source code • Unit test plan and test scenario • Unit test results 3 2 Initiation • Current process analysis • Current system analysis • Project plan • Software Requirements Specification 4 7 Verification • Integrated/system/acquisition test plan and test scenario • Integrated/system/acquisition test results • Vulnerability analysis 3 3 Require- ments Analysis • Impact assessment • Interface definition 2 8 Production & Release • Rehearsal plan and rehearsal result • Release request • Emergency incident response plan • Emergency accident response result 4 4 Acquisition • Acquisition confirmation document 1 9 Operation • Preparation result • Operator instructions • User guide • Vulnerability Response Plan • Vulnerability patch result 5 5 Design • Software design specification • Software architecture design and System architecture design specification • Integrated test plan and integrated test scenario 3 10 Disposal • System execution plan and system execution result 1

20. 20/39 3. CIA-Level Driven Secure SDLC Framework ▪ Repository that stores the mapping results and related details of Activity- Evidence Mapper • Database consists of a 4-table scheme. ✓ Table of 10 generalized secure SDLC phases ✓ Table of 66 security activities that must be performed at each phase ✓ Table of detailed security activity lists and descriptions ✓ Table of document templates that need to be produced Database Database scheme Integrated Secure SDLC Phase Activities Detailed Activities Evidence Document Templates CC (SAR & CEM) ISMS PIMS AAA BBB CCC DDD

21. 21/39 ▪ CIA-Level Extractor: Module that extracts the CIA-Level of a company's secure SDLC • It quantitatively analyzes the security activities of the secure SDLC and calculates CIA-Level. ✓ CIA-Level: Indicator of trustworthiness that composed of Level 1 to Level 7 ✓ It means that the secure SDLC is systematically and strictly managed as the level increases. ▪ GAP Analyzer: Module that analyzes the gap of secure SDLC level between the company and its competitors Integrated Secure SDLC Phase Activities Detailed Activities Evidence Document Templates CC (SAR & CEM) ISMS PIMS AAA BBB CCC DDD 3. CIA-Level Driven Secure SDLC Framework CIA-Level Extractor & GAP Analyzer Predict competitor’s secure SDLC process, Activities, Detailed Activities etc. Analyze the differences of each activity between the company and competitors Gap Analysis Report Average CIA-level of Competitor’s Flagship Products Company’s secure SDLC Process, Activities, Detailed Activities, Evidences, Tools, etc.

22. 22/39 3. CIA-Level Driven Secure SDLC Framework ▪ Module that provides detailed information on the level desired by the company • It provides secure SDLC process, security activities, detailed security activities, and evidence templates. ✓ It quantitative analyze on only relevant security activities out of a total of 66 security activities, considering the business sector and characteristics. ✓ It ensures traceability of the entire Secure SDLC by easily deriving documents that need to be produced. Customized Secure SDLC Constructor Select the phases according to the characteristics of the products of the company Choose the detailed activities and the evidence templates according to CIA level Customized Secure SDLC Process, Activities, Detailed Activities Evidence Templates CIA-Level Database

23. 23/39 4. Trustworthy Automotive SDLC

24. 24/39 4. Trustworthy Automotive SDLC ▪ Trustworthy Automotive SDLC(TA_SDLC) • Specific security-by-design methodology for automotive development • It is an application of CIA-Level Framework that is extended and utilized for automotive development. • It is assumed that automotive OEMs have a safety development process(Safety SDLC) according to ISO 26262. Security Level Extractor Safety & Security Integrator OEM’s Safety SDLC (ISO 26262 safety development process) Safety Level Extractor CIA-Level Framework Safety & Security Integrator TA_SDLC Requirements Requirements of UNECE regulation & ISO/SAE 21434 Customized TA_SDLC Process, Activities, Evidence Templates ※ ISO(International Organization for Standardization), ISO 26262: International standard for functional safety of electrical/electronic systems in road vehicles ※ OEM(Original Equipment Manufacturer)

25. 25/39 4. Trustworthy Automotive SDLC ▪ TA_SDLC Requirements • A total of 4 requirements of TA_SDLC were derived. ✓ They were selected based on the characteristics of automotive development. ※ Third-party component: components developed and utilized by other companies ※ Traceability: To ensure consistency in the results between phases so that we can trace back to the initial cause when a security problem occurs ※ Depth: Indicators for the degree of activities detail defined in this study ① Targets on system ② Includes the procedure of third-party components acquisition ③ Ensures traceability between phases ④ Provides detailed activities and the evidence templates for every phase of the process(depth=2) Depth = 0 Depth = 1 Depth = 2

26. 26/39 4. Trustworthy Automotive SDLC ASIL level of ISO 26262 ▪ Safety Level Extractor: Module that extracts the safety level of a company’s safety SDLC • We assume that automotive OEMs have a safety SDLC according to ISO 26262. ✓ ASIL: safety-related risk level defined by the ISO 26262 ✓ ASIL required for developing major functions of vehicles is C level or higher. ▪ Security Level Extractor: Module that extracts the security level corresponding to the safety level of the existing safety SDLC • It should satisfy EAL 5 to sufficient security for automotive development. ✓ EAL: security assurance level defined by CC ✓ ASIL C corresponds to the EAL 5 level of CC. Safety Level Extractor & Security Level Extractor ASIL C or higher ※ ASIL(Automotive Safety Integrity Level):, EAL(Evaluation Assurance Level), ISO/SAE 21434: International standard for security of E/E systems in road vehicles

27. 27/39 4. Trustworthy Automotive SDLC ▪ Framework that derives detailed secure SDLC for the target company • It derives secure SDLC suitable for automotive development by inserting TA_SDLC requirements and security level to the CIA-Level Framework. ▪ Module that integrates TA_SDLC derived from CIA-Level Framework and existing automotive safety SDLC • It derives Customized TA_SDLC suitable for ISO 26262’s safety SDLC. Safety & Security Integrator CIA-Level Framework EAL 5 CIA-Level Framework Safety & Security Integrator Customized TA_SDLC Process, Activities, Evidence Templates ISO 26262’s Safety SDLCTrustworthy Automotive SDLC Requirements Requirements of UNECE regulation & ISO/SAE 21434

28. 28/39 4. Trustworthy Automotive SDLC ▪ TA_SDLC Process – Activities • TA_SDLC consists of a total of 50 activities for 10 phases and 26 evidence templates. 1. Training 1.1 Perform training 1.1.1 Basic training 1.1.2 Advanced training 1.2 Plan training schedules 1.2.1 Training schedules planning 2. Initiation 2.1 Configure project environment 2.1.1 Project categorization 2.1.2 Role identification 2.1.3 Project tools selection 2.1.4 Requirements source identification 2.1.5 Minimum quality level definition 2.2 Plan project schedule 2.2.1 Project schedules planning 2.2.2 Project analysis coverage definition 2.3 Set & verify goals 2.3.1 Goals setting 2.3.2 Verifying consistency & completeness of goals 3. Requirements analysis 3.1 Assess impact level 3.1.1 Impact assessment 3.1.2 Conformity & conflict check on impact assessment results 3.1.3 Existing system assessment 3.2 Elicit requirements 3.2.1 Requirements elicitation 3.3 Verify requirements 3.3.1 Verifying requirements based on goals 3.2.2 Conformity & conflict check on requirements 4. Acquisition 4.1 Plan third-party components acquisition 4.1.1 Acquisition scope setting & planning 4.1.2 Requirements definition for third-party components 4.2 Use third-party components 4.2.1 Assessment & test for third-party components 5. Design 5.1 Design architecture 5.1.1 Functions & design specification 5.1.2 Design integrated structure 5.2 Analyze risk 5.2.1 Risk analysis 5.2.2 Mitigation elicitation 5.2.3 Conformity & conflict check on mitigations 5.3 Verify design 5.3.1 Verifying design based on requirements 6. Implementation 6.1 Build an implementation environment 6.1.1 Coding guidelines compliance 6.1.2 Guideline & tools creation 6.2 Verify Implementation 6.2.1 Verifying implementation based on design 7. Verification 7.1 Test 7.1.1 Static analysis 7.1.2 Dynamic analysis 7.2 Review before production 7.2.1 Final review 7.2.2 Documents review & update 7.1.3 Integration & acceptance test 7.1.4 Penetration test 8. Production& Release 8.1 Produce 8.1.1 Requirements elicitation for production 8.1.2 Production procedure determination 8.2 Establish response plans 8.2.1 Accident response planning 8.1.3 Verification of production 8.3 Review deployment procedure 8.3.1 Security review for deployment procedure 9. Operation 9.1 Monitor 9.1.1 Monitoring planning 9.1.2 Continuous monitoring 9.2 Respond to Incident 9.2.1 Vulnerability report 9.3 Manage configuration 9.3.1 Configuration management after release 9.2.2 Vulnerabilities assessment 9.2.3 Solution establishment 9.2.4 Vulnerability disclosure & patch/update 10. Disposal 10.1 Plan transfer & disposal procedure 10.1.1 Transfer & disposal procedure planning 10.2 Build transfer & disposal environment 10.2.1 Providing guidelines for transfer & disposal procedures 3 9 6 3 6 3 6 5 7 2

29. 29/39 4. Trustworthy Automotive SDLC ▪ TA_SDLC Process – Evidence templates • TA_SDLC consists of a total of 50 activities for 10 phases and 26 evidence templates. Phase Evidence Num. Phase Evidence Num. 1 Training • Training plan • List of attendance at training 2 6 Impleme- ntation • System implementation report • User's manual or tool • Project implementation verification report 3 2 Initiation • Project plan • Project goal verification report 2 7 Verification • Test plan • Test result report • Vulnerability Analysis report • Final review report 4 3 Require- ments Analysis • Impact assessment report • Requirements definition report • Project requirements verification report 3 8 Production & Release · Production plan · Production verification report · Accident response plan 3 4 Acquisition • Acquisition plan • Acquisition inspection report 2 9 Operation · System monitoring report · Accident response report 2 5 Design • Design specification • Architecture specification • System Risk Analysis report • Project design verification report 4 10 Disposal · Guidelines for system transfer and disposal 1

30. 30/39 5. Case Study

31. 31/39 5. Case Study – CIA-Level Framework(Company A) ▪ To prove the effectiveness of the CIA-Level Framework, we applied it to a representative software development company(A) in Korea. ▪ We selected competitors of company A and performed the following process. • After selecting the competitor as Microsoft, we selected CIA-Level 4 based on the CC certification cases. 1. Identify the characteristics of the enterprise 2. Select competitors based on the result of #1 3. Deviate average CIA-level of competitors 4. Select phase and security activities associated with the enterprise 5. Deviate CIA-level for each enterprise security activity 6. Analyze secure SDLC level gap between competitor and enterprise 7. Elicit gap analysis report and result graph 8. Share analysis results to security managers 8. Select CIA-level that enterprise wants 10. Provide suitable secure SDLC process, security activities, detailed security activities, artifacts, etc Product name EAL Year DB Microsoft SQL Server 2014 EAL2+ 2015 Microsoft SQL Server 2014 EAL4+ 2015 Microsoft SQL Server 2016 EAL4+ 2017 Microsoft SQL Server 2016 Database Engine Enterprise Edition EAL2+ 2017 Microsoft SQL Server 2017 EAL4+ 2020 OS Microsoft Windows 10 EAL1 2016 Windows 10 Anniversary Update and Microsoft Windows Server 2016 EAL1 2017 Microsoft Windows 10 EAL1 2018 Windows 10 and Windows Server EAL1 2018 Windows 10 and Windows Server EAL1 2019 Windows 10 and Windows Server 2019 version 1809 EAL1 2019 Windows 10 and Server version 1903 EAL1 2019

32. 32/39 5. Case Study – CIA-Level Framework(Company A) ▪ We selected 8 of the 10 phases: security training, initiation, requirements analysis, design, implementation, verification, release, and operation. • Out of 66 security activities, 58 were selected, and company A determined that only 6 out of 58 security activities had the same level as Microsoft. ▪ We suggested a secure SDLC suitable for company A by applying CIA-Level Framework. • Afterward, the effectiveness of the framework has been proved as company A applied the improved process to the actual environment. 0 1 2 3 4 5 6 7 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 Level Activity Company A Microsoft Security Training Initiation Requirements Analysis Design Implemen -tation Verification Release Operation

33. 33/39 5. Case Study – TA_SDLC(Company B) ▪ In order to prove the effectiveness of TA_SDLC, we applied it to a representative automotive OEM(B) in Korea targeting the European market. ▪ We performed the following process based on company B's development process. • We estimated the satisfaction level of company B's development process for each activity of TA_SDLC. ▪ Company B does not have a systematic security development process and performs security activities sporadically. • We collected information mainly based on expert interviews to understand the security activities performed by company B. 1. Identify company B's development process and activities 2. Estimate satisfaction level of company B's development process with TA_SDLC’s phases and activities 3. Derive improvements of company B's development process for automotive security-by-design

34. 34/39 5. Case Study – TA_SDLC(Company B) ▪ We determined that company B performs only 34 activities out of the 50 activities of TA_SLDC, and 16 additional activities should be performed to achieve automotive security-by-design. • Afterward, we suggested that automotive OEMs could improve the company's development process to satisfy UNECE regulation and develop vehicles with trustworthiness. Phase Number of activities (B/TA_SDLC) 1 Training 2/3 2 Initiation 8/9 3 Requirements Analysis 3/6 4 Acquisition 3/3 5 Design 5/6 6 Implementation 2/3 7 Verification 3/6 8 Production & Release 4/5 9 Operation 4/7 10 Disposal 0/2 Total 34/50

35. 35/39 6. Conclusion

36. 36/39 6. Conclusion ▪ Since the 1980s, the US government has recognized that the development process must be systematically and strictly managed to improve security. ▪ Afterward, Secure SDLC which applies the security-by-design philosophy has begun to be used. • However, it is difficult to use them in the actual field since they are too general. ▪ In this study, we proposed a CIA-Level Framework that derives detailed secure SDLC by integrating existing secure SDLCs and evidence-based approaches. ▪ We also proposed TA_SDLC, a specific automotive security-by-design methodology derived by CIA-Level Framework. ▪ In addition, we did case studies of CIA-Level Framework and TA_SDLC. • By applying CIA-Level Framework to a representative software development company, the effectiveness of CIA-Level Framework was verified. • By applying TA_SDLC to a representative automotive OEM, the possibility of developing vehicles with trustworthiness was presented.

37. 37/39 Reference 1. Abdo, H., et al. "A safety/security risk analysis approach of Industrial Control Systems: A cyber bowtie–combining new version of attack tree with bowtie analysis." Computers & Security 72 (2018): 175-195. 2. Apvrille, Ludovic, and Letitia W. Li. "Harmonizing safety, security and performance requirements in embedded systems." 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 2019. 3. Asplund, Fredrik, et al. "Rapid Integration of CPS Security and Safety." IEEE Embedded Systems Letters 11.4 (2018): 111-114. 4. Bhalla, Nishchal, et al. "Security risk identification in a secure software lifecycle." U.S. Patent Application No.15784072. 2019 5. Bramberger, Robert, et al. "Co-engineering of Safety and Security Life Cycles for Engineering of Automotive Systems." ACM SIGAda Ada Letters 39.2 (2020): 41-48. 6. Brunner, Michael, et al. "Towards an integrated model for safety and security requirements of cyber-physical systems." 2017 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C). IEEE, 2017. 7. Casola, Valentina, et al. "A novel Security-by-Design methodology: Modeling and assessing security by SLAs with a quantitative approach." Journal of Systems and Software 163 (2020): 110537. 8. Chen, Earl, et al. "Designing security into software during the development lifecycle." U.S. Patent Application No. 13619581. 2013. 9. Chowdhury, Thomas, et al. "Safe and secure automotive over-the-air updates." International Conference on Computer Safety, Reliability, and Security. Springer, Cham, 2018. 10. Cigital, "Building Security in Maturity Model 1.0." 11. CSA, “security-by-design Framework version 1.0”. 2017 12. Dobaj, Jürgen, et al. "Towards Integrated Quantitative Security and Safety Risk Assessment." International Conference on Computer Safety, Reliability, and Security. Springer, Cham, 2019. 13. Fowler, Daniel S., et al. "A Method for Constructing Automotive Cybersecurity Tests, a CAN Fuzz Testing Example." 2019 IEEE 19th International Conference on Software Quality, Reliability and Security Companion (QRS-C). IEEE, 2019. 14. Futcher, Lynn, and Rossouw von Solms. "SecSDM: a model for integrating security into the software development life cycle." IFIP World Conference on Information Security Education. Springer, New York, NY, 2007. 15. Geismann, Johannes, Christopher Gerking, and Eric Bodden. "Towards ensuring security-by-design in cyber-physical systems engineering processes." Proceedings of the 2018 International Conference on Software and System Process. 2018. 16. Huang, Kaixing, et al. "Assessing the physical impact of cyberattacks on industrial cyber-physical systems." IEEE Transactions on Industrial Electronics 65.10 (2018): 8153-8162. 17. ISO/IEC 15408, "Information technology - Security techniques - Evaluation criteria for IT security(CC)." 18. ISO/IEC 27001, "Information Security Management(ISMS)." 19. ISO/IEC 27701, "Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management (PIMS).“ 20. Koschuch, Manuel, et al. "Safety & Security in the Context of Autonomous Driving." 2019 IEEE International Conference on Connected Vehicles and Expo (ICCVE). IEEE, 2019. 21. Kriaa, Siwar, et al. "A survey of approaches combining safety and security for industrial control systems." Reliability engineering & system safety 139 (2015): 156-178. 22. Kriaa, Siwar, et al. "A survey of approaches combining safety and security for industrial control systems." Reliability engineering & system safety 139 (2015): 156-178. 23. Lee, Younghwa, Jintae Lee, and Zoonky Lee. "Integrating software lifecycle process standards with security engineering." Computers & Security 21.4 (2002): 345-355. 24. Lisova, Elena, Irfan Šljivo, and Aida Čaušević. "Safety and security co-analyses: A systematic literature review." IEEE Systems Journal 13.3 (2018): 2189-2200. 25. Mellado, Daniel, Eduardo Fernández –Medina, and Mario Piattini. " A common criteria based security requirements engineering process for the development of secure information systems." Computer standards & interfaces 29.2 (2007): 244-253. 26. Mesquida, Antoni Lluís, and Antonia Mas. "Implementing information security best practices on software lifecycle processes: The ISO/IEC 15504 Security Extension." Computers & Security 48 (2015): 19-34. 27. Michailidis, Alexander, et al. "Test front loading in early stages of automotive software development based on AUTOSAR." 2010 Design, Automation & Test in Europe Conference & Exhibition (DATE 2010). IEEE, 2010. 28. Microsoft, "Security Development Lifecycle - SDL Process Guidance Version 5.2", 2012

38. 38/39 Reference 29. Mir, Talhah Munawar, et al. "Threat analysis and modeling during a software development lifecycle of a software application." U.S. Patent No.8091065. 2012. 30. Mohammed, Nabil M., et al. "Exploring software security approaches in software development lifecycle: A systematic mapping study." Computer Standards & Interfaces 50 (2017): 107-115. 31. Morrison, Patrick, et al. "Mapping the field of software life cycle security metrics." Information and Software Technology 102 (2018): 146-159. 32. Nayerifard, Tahereh, Nasser Modiri, and Sam Jabbehdari. "An Approach for Software Security Evaluation Based on ISO/IEC 15408 in the ISMS Implementation." International Journal of Computer Science and Information Security 11.9 (2013): 7. 33. NIST, "NIST Special Publication 800-37 Revision 2 – Risk Management Framework for Information Systems and Organizations." 34. Oka, Dennis Kengo, Tommi Makila, and Rikke Kuipers. "Integrating Application Security Testing Tools into ALM Tools in the Automotive Industry." 2019 IEEE 19th International Conference on Software Quality, Reliability and Security Companion (QRS-C). IEEE, 2019. 35. OWASP, "Comprehensive, Lightweight Application Security Process." 36. OWASP, "Software Assurance Maturity Model 2.0 – A guide to building." 37. Pricop, Emil, Sanda Florentina Mihalache, and Jaouhar Fattahi. "Innovative fuzzy approach on analyzing industrial control systems security." Recent Advances in Systems Safety and Security. Springer, Cham, 2016. 223-239. 38. Sabaliauskaite, Giedre, Sridhar Adepu, and Aditya Mathur. "A six-step model for safety and security analysis of cyber-physical systems." International Conference on Critical Information Infrastructures Security. Springer, Cham, 2016. 39. SAE, "Cybersecurity Guidebook for Cyber-Physical Vehicle Systems” 40. SAFECode, “Fundamental Practices for Secure Software Development 2nd Edition” 41. Sánchez-Gordón, Mary-Luz, et al. "Towards the Integration of Security Practices in the Software Implementation Process of ISO/IEC 29110: A Mapping." European Conference on Software Process Improvement. Springer, Cham, 2017. 42. Schilder, Marius, et al. "Secure device state apparatus and method and lifecycle management." U.S. Patent No.10223531. 2018. 43. Schmittner, Christoph, Zhendong Ma, and Erwin Schoitsch. "Combined safety and security development lifecylce." 2015 IEEE 13th International Conference on Industrial Informatics (INDIN). IEEE, 2015. 44. Sheikhpour, Razieh, and Nasser Modiri. "A best practice approach for integration of ITIL and ISO/IEC 27001 services for information security management." Indian journal of science and technology 5.2 (2012): 2170-2176. 45. Silke Holtmanns and Rune Lindholm, "Enhanced lifecycle management of security module", Patent Application No.CN103988530A. 2018. 46. Skoglund, Martin, Fredrik Warg, and Behrooz Sangchoolie. "In Search of Synergies in a Multi-concern Development Lifecycle: Safety and Cybersecurity." International Conference on Computer Safety, Reliability, and Security. Springer, Cham, 2018. 47. Takahira, Ricardo Y., et al. "Scrum and Embedded Software development for the automotive industry." Proceedings of PICMET'14 Conference: Portland International Center for Management of Engineering and Technology; Infrastructure and Service Integration. IEEE, 2014. 48. Tiirik, Karl. "Comparison of SDL and Touchpoints." Last retrieved 11 (2004): 16-18. 49. United States Congress, "NIST SP 800-64 Revision 2 – Security Considerations in the System Development Life Cycle", 2019 50. Verma, Siddhartha, et al. "Combined Approach for Safety and Security." International Conference on Computer Safety, Reliability, and Security. Springer, Cham, 2019. 51. Vincent, Benjamin, and Ariel Gordon. "Security configuration lifecycle account protection for minors." U.S. Patent Application No.16022554. 2020 52. Wilcock, Lawrence, et al. "Automated lifecycle management of a computer implemented service." U.S. Patent No.8312419. 2012. 53. Wolff, Carsten, et al. "AMALTHEA—Tailoring tools to projects in automotive software development." 2015 IEEE 8th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS). Vol. 2. IEEE, 2015. 54. Yi, Shengwei, et al. "A safety-security assessment approach for communication-based train control (cbtc) systems based on the extended fault tree." 2018 27th International Conference on Computer Communication and Networks (ICCCN). IEEE, 2018. 55. Young, William, and Nancy G. Leveson. "An integrated approach to safety and security based on systems theory." Communications of the ACM 57.2 (2014): 31-35. 56. Zhang, Yanan, et al. "Test and Evaluation System for Automotive Cybersecurity." 2018 IEEE International Conference on Computational Science and Engineering (CSE). IEEE, 2018.

39. 39/39 Application of the Common Criteria to Building Trustworthy Automotive SDLC This research was supported by the MSIT(Ministry of Science and ICT), Korea, under the ITRC(Information Technology Research Center) support program(IITP-2020-2015-0- 00403)supervised by the IITP(Institute for Information &communications Technology Planning &Evaluation) Seungyeon Jeong, Sooyoung Kang, Seungjoo Kim sodon513@gmail.com Department of Automotive Convergence, Korea University bbang814@gmail.com CIST (Center for Information Security Technologies), School of Cybersecurity, Korea University skim71@korea.ac.kr *Corresponding Author CIST (Center for Information Security Technologies), School of Cybersecurity, Korea University

40. 40/39 Appendix A ▪ Effectiveness of TA_SDLC • Comparative analysis with existing researches ✓ We compared TA_SDLC with existing researches by TA_SDLC requirements. ✓ TA_SDLC considers the aspect of trustworthiness and consists of detailed activities derived by the existing secure SDLC standards and evidence-based approaches. Features Existing secure SDLC Relevant studies TA_SDLCMicrosoft SDL NIST SSDLC OWASP CLASP SAE J3061 Takahir a et al. Young et al. Schmi- ttner et al. Skogl- und et al. Kosch- uch et al 1 Targets on system X O X O O O O O O O 2 Includes the procedure of third-party components acquisition X O O O X X X X X O 3 Considers aspect of trustworthiness X X X O O O O O O O 4 Satisfies the level of safety and security required by automotive development X X X X X X X X X O 5 Ensures traceability between phases O O X O X X O X X O 6 Provides detailed activities for every phase of the process (phase num./activity num.) 8/34 9/36 9/21 9/26 6/13 0/0 7/28 2/8 0/0 10/50

41. 41/39 Appendix A ▪ Effectiveness of TA_SDLC • Comparative analysis with UNECE regulation requirements ✓ We mapped a total of 16 requirements of UNECE regulation related to the development process to each TA_SDLC activity. ✓ TA_SDLC can be used for certification of the UNECE regulation. UNECE regulation requirements (7.2. Requirements for the CSMS(Cyber Security Management System)) TA_SDLC activities(activity number) 1 The vehicle manufacturer shall have a CSMS in place and shall comply with this Regulation. Total 2 The vehicle manufacturer shall demonstrate that their CSMS applies to the development phase. Total 3 CSMS shall include the processes used within the manufacturer’s organization to manage cyber security. Total 4 CSMS shall include the processes used for the identification of risks to vehicles. 3.1.1/3.1.2/5.2.1/ 5.2.3 5 CSMS shall include the processes used for the assessment, categorization and treatment of the risks identified. 5.2.2/5.2.3 6 The vehicle manufacturer shall demonstrate how their CSMS will manage dependencies that may exist with contracted suppliers, service providers or manufacturer’s sub-organizations. 4.1.1/4.1.2/4.2.1 7 CSMS ensure security shall include the processes used for testing the cyber security of a vehicle. 7.1.1/7.1.2/7.1.3/7.1.4 8 CSMS ensure security shall include the processes in place to verify that the risks identified are appropriately managed. 7.2.1/9.1.1/9.1.2/9.3.1 9 The vehicle manufacturer shall demonstrate that their CSMS applies to the production phase. 8.1.1/8.1.2/8.1.3 10 The vehicle manufacturer shall demonstrate that the processes that include the capability to analyze and detect cyber threats, vulnerabilities and cyber-attacks from vehicle data and vehicle logs. 9.1.1/9.1.2/9.2.1 11 CSMS shall include the processes used for ensuring that the risk assessment is kept current. 9.2.4/9.3.1 12 CSMS shall include the processes used to monitor for, detect and respond to cyber-attacks, cyber threats and vulnerabilities on vehicles. 9.1.1/9.1.2/9.2.1/9.2.2/9.2.3/9.2.4/9.3.1 13 CSMS shall include the processes used to assess whether the cyber security measures implemented are still effective in the light of new cyber threats and vulnerabilities that have been identified. 7.2.1/9.2.3 14 The vehicle manufacturer shall demonstrate that the processes used within their CSMS will ensure that cyber threats and vulnerabilities which require a response from the vehicle manufacturer shall be mitigated within a reasonable timeframe. 9.2.1/9.2.2/9.2.3/9.2.4 15 The vehicle manufacturer shall demonstrate that the processes that include vehicles after first registration in the monitoring. 9.1.1/9.1.2 16 The vehicle manufacturer shall demonstrate that their CSMS applies to the post-production phase. 8.1.1/8.1.2/8.1.3/8.2.1/8.3.1/9.1.1/9.1.2/9.2.1/9.2.2/9.2. 3/9.2.4/9.3.1/10.1.1/10.2.1

42. 42/39 Appendix B ▪ TA_SDLC Requirements • A total of 4 requirements of TA_SDLC were derived. ✓ They were selected based on the characteristics of automotive development. ※ Third-party component: components developed and utilized by other companies Hardware Software System OEMs do not develop all components of a vehicle on their own but acquire components from partners such as 1-tier and 2-tier. ① Targets on a system(Software and Hardware) ② Includes the procedure of third-party components acquisition ① Targets on system ② Includes the procedure of third-party components acquisition ③ Ensures traceability between phases ④ Provides detailed activities and the evidence templates for every phase of the process(depth=2)

43. 43/39 Appendix B ▪ TA_SDLC Requirements • A total of 4 requirements of TA_SDLC were derived. ✓ They were selected based on the characteristics of automotive development. ※ Traceability: To ensure consistency in the results between phases so that we can trace back to the initial cause when a security problem occurs ※ Depth: Indicators for the degree of activities detail defined in this study Depth = 0 Depth = 1 Depth = 2 Verification Implemen- tation Design Requirements Analysis Operation Traceability Problem occurs ③ Ensures traceability between phases ④ Provides detailed activities and the evidence templates for every phase of the process(depth=2) ① Targets on system ② Includes the procedure of third-party components acquisition ③ Ensures traceability between phases ④ Provides detailed activities and the evidence templates for every phase of the process(depth=2)

44. 44/39 Appendix C ▪ Trustworthiness • Functional Correctness + Safety Integrity + Security Assurance • Functional Correctness ✓ The product operates exactly as designed • Safety Integrity ✓ Errors that occur inside the product are not exposed externally and can harm users • Security Assurance ✓ confidentiality: authorized users only have access to information assets of the system ✓ integrity: the system is fully preserved without inappropriate change or destruction of information ✓ availability: access to and use of system information at any time users want C IFunctional Safety = Functional Correctness + Safety Integrity A Security Assurance = Confidentiality + Integrity + Availability = + +

Application of the Common Criteria to Building Trustworthy Automotive SDLC

You are reading a preview.

Check these out next

Application of the Common Criteria to Building Trustworthy Automotive SDLC

More Related Content

Slideshows for you (20)

Similar to Application of the Common Criteria to Building Trustworthy Automotive SDLC (20)

More from Seungjoo Kim (20)

Recently uploaded (20)