Security assurance cases for road vehicles: an industry perspective

Assurance cases are structured arguments that are commonly used to reason about the safety of a product or service. Currently, there is an ongoing push towards using assurance cases also for cybersecurity, especially in safety critical domains, like automotive. While the industry is faced with the challenge of defining a sound methodology to build security assurance cases, the state of the art is rather immature. Therefore, we have conducted a thorough investigation of the (external) constraints and (internal) needs that security assurance cases have to satisfy when used in the automotive industry. This has been done with 28 participants and in the context of two large automotive companies located in Europe: Company A is a passenger car manufacturer, while Company B is a truck manufacturer. An extended version of this paper is available online at https://arxiv.org/abs/2003.14106.

[1]  Mike Cohn,et al.  User Stories Applied: For Agile Software Development , 2004 .

[2]  Chris W. Johnson,et al.  Generic security cases for information system security in healthcare systems , 2012 .

[3]  John Knight The Importance of Security Cases: Proof Is Good, But Not Enough , 2015, IEEE Security & Privacy.

[4]  Jeremy Bryans,et al.  Building an automotive security assurance case using systematic security evaluations , 2018, Comput. Secur..

[5]  M. Petró‐Turza,et al.  The International Organization for Standardization. , 2003 .

[6]  Rob Alexander,et al.  Security Assurance Cases: Motivation and the State of the Art , 2011 .

[7]  John Goodenough,et al.  Arguing Security – Creating Security Assurance Cases , 2014 .

[8]  Peter Jesty,et al.  Safety Cases and Their Role in ISO 26262 Functional Safety Assessment , 2013, SAFECOMP.

[9]  Sahar Kokaly,et al.  MMINT-A: A Tool for Automated Change Impact Assessment on Assurance Cases , 2018, SAFECOMP Workshops.

[10]  Richard F. Paige,et al.  Weaving an Assurance Case from Design: A Model-Based Approach , 2015, 2015 IEEE 16th International Symposium on High Assurance Systems Engineering.

[11]  Steven Corns,et al.  Arguing Security of Generic Avionic Mission Control Computer System (MCC) using Assurance Cases , 2011, Complex Adaptive Systems.

[12]  Biao Xu,et al.  A Layered Argument Strategy for Software Security Case Development , 2017, 2017 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW).

[13]  Rance Cleaveland,et al.  Security Assurance Cases for Medical Cyber–Physical Systems , 2015, IEEE Design & Test.