Supporting the Creation of Security Assurance Cases for Automotive Companies

Abstract

Security Assurance Cases (SACs) have gained significant focus in recent years, especially in safety-critical industries such as the automotive industry. Furthermore, there has been a push towards connected cars technology in vehicles, which means that vehicles to a greater extent are exposed to cyber threats. Because of this, a new standard, ISO/SAE-21434, is currently under development, which requires automotive companies to start using SACs to ensure the security of their vehicles against cyber attacks. Using the Design Science Research (DSR) method, two iterations are conducted in which the first iteration focuses on identifying artifacts from Automotive Development Processes (ADPs) that could be used in the creation of SACs. The second iteration investigates to what extent the identified artifacts cover the needs of the approaches suggested in literature. Two open source catalogues are created as the artifact of the first iteration. The second iteration is a gap analysis, including the creation of two SACs, and a a SAC Report Template. The catalogues are used as an aid during the creation of the SACs, as well as quality assurance to assess the quality of the cases. The identified gaps are presented, discussed, and validated by the case company and a third party. The catalogues and the SAC Report Template were implemented into SystemWeaver, a system engineering tool manufactured by the case company Systemite. The artifacts created from this thesis can be used in the future to support practitioners in the creation of SACs.