This document describes a threat analysis tool called cp/TARA that was originally developed under a Japanese government research project on automotive cybersecurity. cp/TARA provides a common platform to integrate various threat analysis methods and risk assessment criteria using models. It supports threat analysis and risk assessment based on attack trees. cp/TARA models security features using extended SysML diagrams and can identify assets, attack surfaces, threats and derive security requirements to analyze threats in an automotive system.

1. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Security First
CAV Technologies
AutoSec China 2019
Mission Possible: Advanced Threat Ａｎａｌｙｓｉs Tool for All
KENJI TAGUCHI
CAV TECHNOLOGIES CO. LTD
SEPT/18/2019
Joint Work with A. Ohba (Japan Automotive Research Institute)

2. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
About this presentation
• This presentation overviews the threat analysis tool called cp/TARA which is originally
developed under Japanese government research project on cybersecurity of automotive
systems by Ministry of Economy, Trade and Industry (METI) and Ministry of Land, Infrastructure,
Transport and Tourism (MLIT).
• This presentation is co-authored by A. Ohba (Japan Automotive Research Institute) .
• The following reports published from METI summarize the outcome of the research project and
includes the summary of the design and adopted threat analysis methods of the cp/TARA, which
will be explained in this presentation:
• https://www.meti.go.jp/meti_lib/report/H29FY/000362.pdf (Japanese only)
• https://www.meti.go.jp/meti_lib/report/H30FY/000350.pdf (Japanese only)

3. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Research Project: Cybersecurity for automotive systems
Layer 1 Mobility society
Layer 2 Vehicle
TCU
Bluetooth
Wi-Fi
V2X
PLC
cloud
smartphone
V2X
Charging station
GW
Diag tool
ADAS
H/U
XXX
Steer Break
Air-con DoorLayer 3 In-vehicle
Locator
Multi-media
ADAS
Powertrain
Chassis
Body
Layer 4 Component
• The whole landscape of security issues for automotive domain can be illustrated by Layer 1 to
Layer 4.
• The theme of the project was security issues on layer 2, i.e., vehicle itself, and focuses on 1)
threat analysis and threat library, 2) evaluation methods and criteria for countermeasures and 3)
light weight digital signature for V2X.
• This presentation is focused on the first part of 1).
Layer 1
Outside communication
+Encryption
+Digital signature
+Access control
(Authenticatio, filtering)
Layer 2
GW
+Access control (filtering)
+ Key management
+ ECU authentication
+ Anomaly detection
+ Secure log
Layer 3
In-vehicle network
+ Detection of Msg Spoofing
+ Encryption
Layer 4
ECU
+ Secure programming
+ Secure storage
+ Secure boot

4. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Why do we need threat analysis in the first place?
Black Hat 2016
Tesla Model S
Black Hat 2015
Jeep Cherokee
Sound and robust cryptographic foundations.
+ Message authentication
+ FOTA
+ Secure boot
+ Hardware security module
+ Intrusion detection and protection
+ Secure Diagnostic Service (UDS)
…
Secure architecture and mechanisms
How do we design optimal secure
architecture and how we can be
confident of their robustness against
potential threats?
Defcon 2019 GPS Tracking
App, MyCar
Many PoC demonstrations by white hackers!
Possible solutions
Threat analysis at an early stage of the
development
Key to the problem
Relay Station Attack (RSA)
(Wikipedia)
(No picture)

5. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Necessary ingredients for threat analysis
Multiple methods are necessary to capture all necessary ingredients for threat analysis.
TCU
Bluetooth
Wi-Fi
V2X
PLC
cloud
smartphone
V2X
Charging station
GW
Diag tool
ADAS
H/U
XXX
Steer Break
Air-con Door
Locator
Multi-media
ADAS
Powertrain
Chassis
Body
Where an attack comes from? What should be protected?What attack is possible?
How can we protect it?How can an attack reach its target?
Where should be protected?

6. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Multiple methods for threat analysis and existing methods
• The following architectural information helps analyze potential threats:
• Assets what should be protected from attacks?
• Entry points/IF where an attack comes from?
• Attack path/threat scenario how can an attack reach its target?
• trust boundary/security perimeter how to recognize the surface/boundary exposed to attacks?
• Security boundary where should be protected?
Zone and conduit (IEC 62443)
Trust boundary (MS Threat Modeling Tool)
Security perimeter (DO-356)
Assets (ISO 27005)
Threat scenario (DO-356)
(HEAVENS, Security models D2, ver. 2.0, March 18, 2016)
(RTCA DO-356: Airworthiness Security Methods and Considerations, 2014)
Zone X Zone YConduit
(No picture)

7. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Threat analysis tool based on attack trees: Seculia
• SecuLia is a threat analysis
tool jointly developed with
Gaio technology.
‒ Addin application of Enterprise
Architect (EA)
 Sparx Systems Co., Ltd.
• Main functionalities
‒ Fault Tree Analysis
‒ Attack Tree Analysis
 Risk assessment a la
EVITA,
 Minimal cut set
‒ FT-AT Analysis
 Analysis on interference of
security against safety (I/F
for HARA and TARA)
‒ Extendable risk assessment
 Risk assessment is
programmable
Enterprise Architect (EA) (Sparx systems Co. , Ltd)
Adin application
FT-AT diagram
AT diagram

8. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Necessary ingredients for threat analysis
SecuLia only supports detailed analysis on attacks. The remaining parts should be developed .
？ ？
？ ？ ？

9. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Its Initiation
• cp/TARA is developed under Japanese government research project on cybersecurity of automotive systems by
METI and MLIT.
cp/TARA (Common Platform for TARA) Overview
• Threat analysis tool for automotive systems
• Refer to its initiation.
• Integrated platform
• Provides a common platform to integrate various threat analysis methods and risk assessment criteria
• Secure MBD (Model Based Development)
• Supports SysML based Model Based Development (Block definition diagrams and requirements diagrams are
conservatively extended to model security features)
• Compliance to standards/guidelines
• Can be accommodated to comply with several security standards/guidelines
• Advanced methodologies
• TARA for multi-staged attacks and associated defense in depth
• Built-in security features as architectural components
• Detailed threat analysis and risk assessment based on attack trees a la EVITA
• Flexibility
• Any additional new programs/features can be easily integrated as an add-on program thanks to extension facility
of Enterprise Architect (Sparx Systems Pty Ltd.)
• In fact, cp/TARA is integrated ad-on programs of Enterprise Architect
TARA (Threat Analysis and Risk Assessment)

10. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Wide variety of analysis techniques in cp/TARA
• Block definition diagrams and
Requirements diagrams are extended
to model critical security features.
• Conservative extension
(existing SysML specification is
preserved)
• Substantial security features
are added to those diagrams.
Secure Block Definition Diagrams (SysML)
Attack Tree Diagrams（SecuLia）
Security Requirements Diagrams (SysML)
Enterprise Architect（EA）/SysML
• Attack analysis tool SecuLia (Gaio
Technology Co., Ltd) is integrated
into cp/TARA to support ATA.
• System level threat analysis
diagrams are newly developed to
model multi-stage attacks and
associate defense in depth.
System level threat analysis Diagrams (New)
(Sparx Systems Pty Ltd.)
Threat analysis on architecture information Counter measure analysis
Detailed analysis on attacks Attack paths

11. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Necessary ingredients for threat analysis: solved!
SecuLia supports detailed analysis on attacks. The remaining parts are developed in cp/TARA.
These are all add-in programs of EA

12. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
What is SysML?
• SysML (Systems Modeling Language) is a general-purpose graphical modeling language for specifying,
analyzing, designing, and verifying complex systems that may include hardware, software, information,
personnel, procedures, and facilities
• from OMG SysML page: http://www.omgsysml.org/what-is-sysml.htm
• As the picture below shows, SysML diagrams can be classified under behavior diagrams such as state
machine diagram, and requirement diagram, and structure diagram such as block definition diagram.
• SysML can be modified thanks to extension mechanisms such as stereotypes and tagged-values from
UML (Unified Modeling Language).
(from http://www.omgsysml.org/what-is-sysml.htm)

13. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Threat analysis baseline process： Overview
• Architecture Information, functional module list,
network I/F information as preliminary info on the
system.
• Usage of the system as use cases
• Attackers’ profile, organizational security policies,
risk assessment criteria, etc.
• Identify assets from architecture info.
• Identify attack surfaces.
• Identify threats from attack surfaces.
• Detailed analysis of identified threats using attack
trees.
• Assess risks of identified threats.
• Derive security requirements against identified threats.
stm [package] Secure Process Ba...
Preliminary Information
（Architecture Info, Use
cases, Attacker's Profile,
Security Policies, etc）
Threat Analysis
Identification of
assets
Identification of
attack surfaces
Identification of
threats
Detailed analysis of
threats
Risk assessment of
identified threats
Derivation of
security
requirements

14. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Threat analysis baseline process： supporting diagrams
The following figure shows which phase is supported by which diagram.
Architecture info（SysML Block Def. Diag.）
Use cases（Use cases DB）
Assets（Secure Block Def. Diag.）
Attack Surfaces（Secure Block Def. Diag.）
Threats（Secure Block Def. Diag.）
Detailed analysis on threats (Attack Trees)
Risk assessment（Attack Trees）
Security Requirements（Security Req. Diag.）
bdd [package] Concept-Phase-Architecture [Concept-Phase-LKAS-ECU]
«attack
surface»
AS.01
«attack
surface»
AS.03
«attack
surface»
AS.02
«block,security zone»
Gateway
«attack
surface»
AS.01
«attack
surface»
AS.03
«attack
surface»
AS.02
«block»
Gateway::転送機能
«block,asset»
Gateway::転送機能::ルーティングテーブル
Port38
«block,functional asset»
Gateway::リプロ機能
Port38
«block,asset,inf...
Gateway::リプロ機能::
ファームウェア
Port37
«block,functional asset»
Gateway::診断機能
Port37
«block,asset,i...
Gateway::診断機
能::診断情報
Port23
«block»
DLC
Port23
Port34
«block,functional asset»
Gateway::転送機能::Security-CAN 転送機能
Port34
Port22
«block,functional asset»
Gateway::転送機能::DLC-CAN転送機能
Port22
Port32
«block,functional asset»
Gateway::転送機能::Ext-CAN転送機能
Port32
«block»
NAVI等
Port25
«block»
正規診断機
Port25 Port24
«block»
不正機器
Port24
«block»
LKAS
«block»
LKAS::LKAS 制御
«block»
LKAS::Camera
Port35
«block»
Steering
Port35
stm [package] Secure Process Ba...
Preliminary Information
（Architecture Info, Use
cases, Attacker's Profile,
Security Policies, etc）
Threat Analysis
Identification of
assets
Identification of
attack surfaces
Identification of
threats
Detailed analysis of
threats
Risk assessment of
identified threats
Derivation of
security
requirements

15. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Extended threat analysis process: Overview
• Architecture Information, functional module list, network
I/F information as preliminary info on the system.
• Usage of the system as use cases
• Attackers’ profile, organizational security policies, risk
assessment criteria.
• Identify assets from architecture info.
• Identify attack surfaces.
• Identify threat in a system component along the identified
attack path.
• Derivation of security requirements against identified
threat.
• Detailed analysis on threats and assess their risks by
attack trees.
• Detailed analysis of security requirements.
• Validate appropriateness between identified threats and
security requirements against them.
• Identify an attack path from an attack surface up to an
asset.
stm [package] Secure Process Extended [Secure Process Extended]
Preliminary Information
（Architecture Info, Use cases,
Attacker's Profile, Security Policies,
etc）
Threat analysis
Identification of
assets
Identification of
attack surfaces
Identification of
threats
Detailed analysis of
threats
Risk assessment of
threats
Detailed analysis of
security requirements
Identification of attack
paths
Derivation of security
requirements
Validation of threats and
security requirements

16. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Threat analysis extended process: supporting diagrams
The following picture illustrates which phase is supported by which diagram.
Architecture info（SysML Block Def. Diag.）
Use cases（Use cases DB）
Assets（Secure Block Def. Diag.）
Attack Surfaces（Secure Block Def. Diag.）
Detailed analysis on threats （Attack Trees Diag.）
Risk Assessment（Attack Trees Diag.）
Detailed Analysis on Security Req.
（Security Req. Diag.)
Validation on Threats and Security Req.
（Attack Trees)
bdd [package] Concept-Phase-Architecture [Concept-Phase-LKAS-ECU]
«attack
surface»
AS.01
«attack
surface»
AS.03
«attack
surface»
AS.02
«block,security zone»
Gateway
«attack
surface»
AS.01
«attack
surface»
AS.03
«attack
surface»
AS.02
«block»
Gateway::転送機能
«block,asset»
Gateway::転送機能::ルーティングテーブル
Port38
«block,functional asset»
Gateway::リプロ機能
Port38
«block,asset,inf...
Gateway::リプロ機能::
ファームウェア
Port37
«block,functional asset»
Gateway::診断機能
Port37
«block,asset,i...
Gateway::診断機
能::診断情報
Port23
«block»
DLC
Port23
Port34
«block,functional asset»
Gateway::転送機能::Security-CAN 転送機能
Port34
Port22
«block,functional asset»
Gateway::転送機能::DLC-CAN転送機能
Port22
Port32
«block,functional asset»
Gateway::転送機能::Ext-CAN転送機能
Port32
«block»
NAVI等
Port25
«block»
正規診断機
Port25 Port24
«block»
不正機器
Port24
«block»
LKAS
«block»
LKAS::LKAS 制御
«block»
LKAS::Camera
Port35
«block»
Steering
Port35
Attack Paths
（ Secure Block Def. Diag. , System Level Diag.）
Threats and Security Requirements
（System Level Diag. ）
stm [package] Secure Process Extended [Secure Process Extended]
Preliminary Information
（Architecture Info, Use cases,
Attacker's Profile, Security Policies,
etc）
Threat analysis
Identification of
assets
Identification of
attack surfaces
Identification of
threats
Detailed analysis of
threats
Risk assessment of
threats
Detailed analysis of
security requirements
Identification of attack
paths
Derivation of security
requirements
Validation of threats and
security requirements

17. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Interface characteristics: Security requirements diagram
Original I/F for SysML Requirements Diagrams I/F of cp/TARA for Security Requirements Diagram
J3061
Compliant
＋
General
Security
Requirements
Extended Menu
Original Menu

18. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Interface characteristics: Secure block definition diagram
Original I/F for SysML I/F of cp/TARA for Secure Block Definition Diagram
Extended Menu
Original Menu

19. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Identification of assets and attack surface
(Secure block definition diagram)
Architecture Information Analysis on attack surface and assets
Architecture information is an essential factor for threat analysis.
class autosec-china-pre-model
Port2
«block»
GW
Port2
«block»
Routing table
«block»
Firmware
«block»
Config Data
Port1
«block»
TCU
Port1
CAN
class autosec-china-post-model
«attack
surface»
Port2
«block»
GW
«attack
surface»
Port2
«block,information asset»
Routing table
«block,functional asset»
Firmware
«block,information asset»
Config Data
Port1
«block»
TCU
Port1
CAN
Functional/information assets and potential attack surface are analyzed.

20. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Secure block definition diagram: model elements
Feature Icon Meaning
Asset The asset is an entity which should be protected from attacks. This is
realized by adding a stereotype “asset” to the block.
Attack Surface The attack surface is an entry point for attacks, which is realized as a
port (i.e., I/F to a block). The stereotype “attack surface” is added to the
port.
Related attacks
(Attack Surface)
The attack surface has an attribute “related-attacks” which can store
attack names associated with that attack surface.
Security Zone The security zone represents the boundary where it is protected from
attacks. This is realized by adding a stereotype “security zone” to the
block.
Trust Boundary／
Trust level
The trust boundary represents the boundary where it can be trusted.
This is realized by adding a stereotype “trust zone” to the block. Each
trust boundary has an attribute the trust level where any level of trust for
that boundary can be stored.
Trust-ability Each port may have the trusted attribute, which indicates whether the
port and associated link is trustable.
Vulnerability Each block has an attribute which stores its vulnerabilities and their IDs.

21. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
How to analyze multi-stage attacks and defense in depth?
class 保護資産
Port1
«block»
センタサーバ
Port1 «attack
surface»
Port2
Port3
Port9
Port15
«block»
ゲートウェイ
«attack
surface»
Port2
Port3
Port9
Port15
Port4
Port6 Port8
«block»
通信経路#1
Port4
Port6 Port8
Port24
Port26
Port28
«block»
ECU01
Port24
Port26
Port28
Port10
Port12 Port14
«block»
通信経路#2
Port10
Port12 Port14
Port13
«block»
ECU12
Port13
Port16
Port18 Port20
«block»
通信経路#3
Port16
Port18 Port20
Port17
«block»
ECU21
Port17 Port19
«block»
ECU22
Port19
Port21
«block»
SDカード
Port21 Port23
«block»
スマートフォン
Port23
Port25
«block»
ECU02
Port25
Port27
«block»
ECU11
Port27
«block,functi...
認証機能
«block,infor...
認証鍵
«block,functi...
情報転送機能
«block,functional asset»
インフォメーション機能
«block»
インフォメーション機能
«block,functional asset»
センタサーバ問い合わせ機能
«block,information asset»
車両識別情報
«block,functional asset»
スマートフォン通信機能
«block,information asset»
Bluetooth認証情報
«block,functional as...
制御機能
«block,functional asset»
データ書換え機能
«block,functional as...
制御情報通知機能
«block»
センタサーバ問い合わせ機能
«block,functional as...
制御機能
«block,functional ass...
制御情報通知機能
«block,information asset»
車両識別情報
«block,functional as...
制御機能
«block,information ...
車両状態情報
«block,information ...
車両状態情報
«block»
制御状態通知機能
«block»
車両状態情報
«block»
制御機能
«block»
制御状態通知機能
«block»
車両状態情報
SDスロット Bluetooth
3G/LTE
Analyzed architecture information class 保護資産
Port1
«block»
センタサーバ
Port1 «attack
surface»
Port2
Port3
Port9
Port15
«block»
ゲートウェイ
«attack
surface»
Port2
Port3
Port9
Port15
Port4
Port6 Port8
«block»
通信経路#1
Port4
Port6 Port8
Port24
Port26
Port28
«block»
ECU01
Port24
Port26
Port28
Port10
Port12 Port14
«block»
通信経路#2
Port10
Port12 Port14
Port13
«block»
ECU12
Port13
Port16
Port18 Port20
«block»
通信経路#3
Port16
Port18 Port20
Port17
«block»
ECU21
Port17 Port19
«block»
ECU22
Port19
Port21
«block»
SDカード
Port21 Port23
«block»
スマートフォン
Port23
Port25
«block»
ECU02
Port25
Port27
«block»
ECU11
Port27
«block,functi...
認証機能
«block,infor...
認証鍵
«block,functi...
情報転送機能
«block,functional asset»
インフォメーション機能
«block»
インフォメーション機能
«block,functional asset»
センタサーバ問い合わせ機能
«block,information asset»
車両識別情報
«block,functional asset»
スマートフォン通信機能
«block,information asset»
Bluetooth認証情報
«block,functional as...
制御機能
«block,functional asset»
データ書換え機能
«block,functional as...
制御情報通知機能
«block»
センタサーバ問い合わせ機能
«block,functional as...
制御機能
«block,functional ass...
制御情報通知機能
«block,information asset»
車両識別情報
«block,functional as...
制御機能
«block,information ...
車両状態情報
«block,information ...
車両状態情報
«block»
制御状態通知機能
«block»
車両状態情報
«block»
制御機能
«block»
制御状態通知機能
«block»
車両状態情報
SDスロット Bluetooth
3G/LTE
class 保護資産
Port1
«block»
センタサーバ
Port1 «attack
surface»
Port2
Port3
Port9
Port15
«block»
ゲートウェイ
«attack
surface»
Port2
Port3
Port9
Port15
Port4
Port6 Port8
«block»
通信経路#1
Port4
Port6 Port8
Port24
Port26
Port28
«block»
ECU01
Port24
Port26
Port28
Port10
Port12 Port14
«block»
通信経路#2
Port10
Port12 Port14
Port13
«block»
ECU12
Port13
Port16
Port18 Port20
«block»
通信経路#3
Port16
Port18 Port20
Port17
«block»
ECU21
Port17 Port19
«block»
ECU22
Port19
Port21
«block»
SDカード
Port21 Port23
«block»
スマートフォン
Port23
Port25
«block»
ECU02
Port25
Port27
«block»
ECU11
Port27
«block,functi...
認証機能
«block,infor...
認証鍵
«block,functi...
情報転送機能
«block,functional asset»
インフォメーション機能
«block»
インフォメーション機能
«block,functional asset»
センタサーバ問い合わせ機能
«block,information asset»
車両識別情報
«block,functional asset»
スマートフォン通信機能
«block,information asset»
Bluetooth認証情報
«block,functional as...
制御機能
«block,functional asset»
データ書換え機能
«block,functional as...
制御情報通知機能
«block»
センタサーバ問い合わせ機能
«block,functional as...
制御機能
«block,functional ass...
制御情報通知機能
«block,information asset»
車両識別情報
«block,functional as...
制御機能
«block,information ...
車両状態情報
«block,information ...
車両状態情報
«block»
制御状態通知機能
«block»
車両状態情報
«block»
制御機能
«block»
制御状態通知機能
«block»
車両状態情報
SDスロット Bluetooth
3G/LTE
There could be
many paths for
attack!
(Example taken from JSAE TP-15002, Guideline for Automotive Information Security Analysis, 2015)

22. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
System level threat analysis diagram: example
• Multi-staged attacks and defense in depth can be analyzed at the same time.
‒ Attack path consisting of security zones and their associated attacks and defense can be analyze.
‒ Risk assessment can be done based on two risk models; decremental risk model and internal hiding
risk model.
Multi-staged attack
Defense in depth
Attack Path
(Attack)
(Defense)
(Detection)
(Security Zone)
(link to attack)
(multi attack)

23. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
System level threat analysis: detailed analyses
Detailed analyses on identified attacks and countermeasures will be carried out on
attack tree diagrams and security requirements diagrams respectively.
Security requirements diagram
req [package] 不審な通信トラフィックを監視する [不審な通信トラフィックを監視する]
«requirement»
不審な通信トラフィックを監視する
id = "SecR-03-2"
text = "不審な通信トラフィックの監視を行う"
«requirement»
通信ログ
id = "SecR-03-02-01"
text = "通信トラフィックのログを取る"
«requirement»
通信ログの分析
id = "SecR-03-02-02"
text = "ログの分析を行い、不正な通信を検査する"
«deriveReqt» «deriveReqt»
Attack tree diagram

24. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
What would happen when an attacker penetrated your system?
• Most of attackers who penetrated the system will remain in the system for about several months.
‒ E.g., It is believed that an attacker of Ukrainian power grid stayed there for about half a year.
One of reports on Ukrainian power-grid attack
Is it plausible that nested architecture could help prevent attacks?
system
Safety-critical ECUs

25. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Risk models of system level threat analysis diagram
Risk is reduced due to multiple defense lines.
Risk is increased once an attacker intruded in the system.
Risk Reduction rate
Risk Reduction rate
2) Internal hiding risk model
‒ The risk of attack is increased once an
attacker intruded the system.
1) Decremental risk model
‒ The more sub-networks/barriers/defenses are
introduced, the more risk is reduced.
RTCA DO-356 introduces this risk model.

26. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Risk assessment results
1) Decremental risk model
2) Internal hiding risk model
Risk assessment is carried out using CC/CEM and Evita.
Attack Potential Attack Probability
Basic 5
Enhanced Basic 4
Moderate 3
High 2
Beyond High 1
CC/CEM
(Common Methodology for Information Technology
Security Evaluation, Evaluation methodology)
Standard value
Standard value
High
LowDecremented value
Incremented value
Attack Probability
(Deliverable D2.3: Security requirements for
automotive on-board networks based on dark-side
scenarios, 2008)

27. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
cp/TARA road map
Current version
• Part of it is explained in this presentation.
System requirements:
• Enterprise architect (v. 13）
• SecuLia (v.1)
2019 2020 onward
Future Plan:
• Data exchanges between diagrams
• Automatic attack path analysis (between attack
surfaces and assets)
• Automatic analysis on attack surfaces with
associated attacks

28. copyright@2019 CAV Technologies Co., Ltd. all rights reserved.
Final remarks
• This presentation is to report on a research outcome of the research project on security of
automotive systems.
• A threat analysis tool called cp/TARA was developed to support threat analysis and threat
library in that project.
• cp/TARA is developed as ad-in programs of Enterprise Architect and supports multiple
analysis methods for
• identifying assets, attack surfaces, security boundaries from architecture information
• detailed analysis on attacks and countermeasures (security requirements) and
• multi-stage attacks and associated defense measures (defense in depth).
• For the future plan of cp/TARA includes
• data exchanges between diagrams
• automatic attack path analysis (between attack surfaces and assets)
• automatic analysis on attack surface with associated attacks