Assessment of cybersecurity-informed safety

Assessment of Cybersecurity-Informed Safety (ACS or AoCiS) is geared towards black-box testing for security-informed safety of automated driving systems [ACS1]. The support black-box testing (that is, testing without knowing the internal workings of the test object, see, e.g., [ACS2]) is meant to be part of an independent evaluation, to produce an understanding of the interplay between safety and security, enabling a comparison of how well different ADSs can withstand safety-relevant security threats. The method is the work of the contributing authors.

Method Purpose Short description of the method's purpose and main benefits

Method description A detailed description of the method

For automated vehicles to be safely released to the market, it must be shown that cybersecurity threats do not jeopardise safety. As it is virtually impossible to validate an automated vehicle against all possible scenarios it will face in the real world, least of all in combination with security threats, there is a need to balance the representativeness of the tests and the reliable performance indicators. The method describes a way to define testing and validation procedures of ADS features that can combine tests both in simulation and in real environments, such as test tracks, into a complete assessment.

This mostly manual method could be used to establish independent tests to evaluate and compare the ability of ADSs to withstand security threats that can affect their safe operation. The method (see figure ‎below) consists of:

Extracting enough information from the feature description to facilitate categorisation of feature classes for an ADS under test. With feature class, we mean generic descriptions of ADS features (e.g., Automated Lane Keeping Systems (ALKS)) that match functionality offered by several vendors.
Development of an appropriate test suite for test facilities to assess cybersecurity, matching the feature class and sensor setup (e.g., attacks on camera, lidar, radar, satellite navigation and v2x). Attack the vehicle on a test track and capture the post-attack behaviour i.e., record what the vehicle does after the attack.
Co-simulation of post-attack behaviour with critical traffic scenarios (that is relevant for the feature class) to evaluate safety criteria. This is the step that that need tool support and with potential to be highly automated.
Evaluate coverage and update the test suite if needed and assess if the safety criterion holds.

The methodology generates tests that have been shown to be relevant to establishing a baseline for cybersecurity of an ADS. The proposed process is somewhat different from a more traditional approach where the combinatorial explosion renders test coverage unfeasible when considering all types of attacks and traffic scenarios. In contrast, this approach does not provide complete coverage but instead aims to build confidence. The co-simulation approach identifies the critical scenarios that need to be tested and makes the risks in the validation testing predictable, thus enabling a proactive strategy to address the hazards. The identified critical scenarios, comprised of relevant attacks in representative traffic conditions, may well be orchestrated and evaluated to form a comparable independent cybersecurity assessment.

Methodology of tests that could support establishing cybersecurity-informed safety in an ADS

Method Strengths A listof the strengths of the method

Will provide evidence to establish increased confidence that the ADS will not violate the safe operating conditions even during or after a cybersecurity attack
A safe and controlled testing process for ADS cybersecurity where dangers involved in performing real environment security attacks are mitigated
The co-simulation of post-attack behaviour and traffic to identify critical scenario will reduce the assessment test volume

Method Limitations The limitations of the method

Simulation validity not proven
Method to capture post-attack behaviour so that it is helpful for co-simulation is missing.

Method References Bibliography references to papers about the method.

[ACS1] Skoglund, M. et al.: Black-Box Testing for Security-Informed Safety of Automated Driving Systems, VTS 2021-spring

[ACS2] Forgács, István; Kovács, Attila (2019). Practical Test Design: Selection of Traditional and Automated Test Design Techniques.

Method Dimensions

Evaluation Environment Type Type of environment where the method is applied. It can be more than one type of environment. (Dimension 1)

Evaluation Type Type of evaluation performed with that method. If a method is hybrid, more than one type can be selected. (Dimension 2)

Type of Component Under Evaluation Type of components that can be evaluated with that method. It can be more than one type. (Dimension 3)

Evaluation Stage The evaluation stage where the method is used. (Dimension 5)

Purpose of the Component Under Evaluation The type of purpose that can be evaluated by a method. It can be more than one type. (Dimension 6)

Type of Requirement Under Evaluation The type of requirements that a method is able to evaluate. It can be more than one type. (Dimension 7)

Evaluation Performance Indicator The type of evaluation criteria or KPI that a method is able to improve. It can be more than one type. (Dimension 8)

Relations

Related Methods A method could be related to other methods.

Tools A method can use zero or more tools.

Part Method A method (when it is a combination: Combination of method artefact that is a specialization of a V&V Method) could be composed of a set of V&V Methods.

Test Case or Verification and Validation activity Test Case or V&V activity performed in a Use Case. We will link to the method to the test cases where the method is used.

Standards A method can be linked with standards.

Context

Workflow

Contents

There are currently no items in this folder.