Assessment of cybersecurity-informed safetyAssessment of Cybersecurity-Informed Safety (ACS or AoCiS) is geared towards black-box testing for security-informed safety of automated driving systems [ACS1]. The support black-box testing (that is, testing without knowing the internal workings of the test object, see, e.g., [ACS2]) is meant to be part of an independent evaluation, to produce an understanding of the interplay between safety and security, enabling a comparison of how well different ADSs can withstand safety-relevant security threats. The method is the work of the contributing authors.https://repo.valu3s.eu/method/assessment-of-cybersecurity-informed-safetyhttps://repo.valu3s.eu/@@site-logo/logo_valu3s_green_transparent.png
Assessment of cybersecurity-informed safety
Assessment of Cybersecurity-Informed Safety (ACS or AoCiS) is geared towards black-box testing for security-informed safety of automated driving systems [ACS1]. The support black-box testing (that is, testing without knowing the internal workings of the test object, see, e.g., [ACS2]) is meant to be part of an independent evaluation, to produce an understanding of the interplay between safety and security, enabling a comparison of how well different ADSs can withstand safety-relevant security threats. The method is the work of the contributing authors.
Black-box testing for security-informed safety of automated driving systems. To support black box testing as part of an independent evaluation, with the aim of producing an understanding of the interplay between safety and security, enabling a comparison of how well different ADSs can withstand safety-relevant security threats.
For automated vehicles to be safely released to the market, it must be shown that cybersecurity threats do not jeopardise safety. As it is virtually impossible to validate an automated vehicle against all possible scenarios it will face in the real world, least of all in combination with security threats, there is a need to balance the representativeness of the tests and the reliable performance indicators. The method describes a way to define testing and validation procedures of ADS features that can combine tests both in simulation and in real environments, such as test tracks, into a complete assessment.
This mostly manual method could be used to establish independent tests to evaluate and compare the ability of ADSs to withstand security threats that can affect their safe operation. The method (see figure below) consists of:
Extracting enough information from the feature description to facilitate categorisation of feature classes for an ADS under test. With feature class, we mean generic descriptions of ADS features (e.g., Automated Lane Keeping Systems (ALKS)) that match functionality offered by several vendors.
Development of an appropriate test suite for test facilities to assess cybersecurity, matching the feature class and sensor setup (e.g., attacks on camera, lidar, radar, satellite navigation and v2x). Attack the vehicle on a test track and capture the post-attack behaviour i.e., record what the vehicle does after the attack.
Co-simulation of post-attack behaviour with critical traffic scenarios (that is relevant for the feature class) to evaluate safety criteria. This is the step that that need tool support and with potential to be highly automated.
Evaluate coverage and update the test suite if needed and assess if the safety criterion holds.
The methodology generates tests that have been shown to be relevant to establishing a baseline for cybersecurity of an ADS. The proposed process is somewhat different from a more traditional approach where the combinatorial explosion renders test coverage unfeasible when considering all types of attacks and traffic scenarios. In contrast, this approach does not provide complete coverage but instead aims to build confidence. The co-simulation approach identifies the critical scenarios that need to be tested and makes the risks in the validation testing predictable, thus enabling a proactive strategy to address the hazards. The identified critical scenarios, comprised of relevant attacks in representative traffic conditions, may well be orchestrated and evaluated to form a comparable independent cybersecurity assessment.
Methodology of tests that could support establishing cybersecurity-informed safety in an ADS
Will provide evidence to establish increased confidence that the ADS will not violate the safe operating conditions even during or after a cybersecurity attack
A safe and controlled testing process for ADS cybersecurity where dangers involved in performing real environment security attacks are mitigated
The co-simulation of post-attack behaviour and traffic to identify critical scenario will reduce the assessment test volume
Simulation validity not proven
Method to capture post-attack behaviour so that it is helpful for co-simulation is missing.
[ACS1] Skoglund, M. et al.: Black-Box Testing for Security-Informed Safety of Automated Driving Systems, VTS 2021-spring
[ACS2] Forgács, István; Kovács, Attila (2019). Practical Test Design: Selection of Traditional and Automated Test Design Techniques.