A Study of The Risk Quantification Method of Cyber-Physical Systems focusing on Direct-Access Attacks to In-Vehicle Networks

摘要

Cyber-physical systems, in which ICT systems and fielddevices are interconnected and interlocked, have become widespread.More threats need to be taken into consideration when designing the securityof cyber-physical systems. Attackers may cause damage to the physicalworld by attacks which exploit vulnerabilities of ICT systems, while otherattackers may use the weaknesses of physical boundaries to exploit ICTsystems. Therefore, it is necessary to assess such risks of attacks properly.A direct-access attack in the field of automobiles is the latter type of attackswhere an attacker connects unauthorized equipment to an in-vehiclenetwork directly and attempts unauthorized access. But it has been consideredas less realistic and evaluated less risky than other threats via networkentry points by conventional risk assessment methods. We focused on reassessingthreats via direct access attacks in proposing effective securitydesign procedures for cyber-physical systems based on a guideline for automobiles,JASO TP15002. In this paper, we focus on “fitting to a specificarea or viewpoint” of such a cyber-physical system, and devise a new riskquantification method, RSS-CWSS CPS based on CWSS, which is also avulnerability evaluation standard for ICT systems. It can quantify the characteristicsof the physical boundaries in cyber-physical systems.