The increase of inward-facing and outward-facing communication used by modern vehicles with automated features expands the breadth and depth of automotive cybersecurity vulnerabilities. The prominent role that human behavior plays in the lifetime of a vehicle creates a need for social and human-based factors to be considered in tandem with the technical factors when addressing cybersecurity. Specifically, in collaboration with researchers from criminology and the automotive industry, we integrate foundations of crime theory, human factors, and model-driven engineering to develop three complementary automotive cybersecurity prevention strategies, where they differ in the balance between technical and social emphasis, both in terms of solution strategies and the targeted stakeholders. We start with a stakeholder-aware threat assessment to analyze automotive systems for vulnerabilities and solutions across the spectrum of stakeholders using the vehicle. In addition to identifying attack surfaces, this threat assessment includes relevant human-focused information, such as type of access needed by attacker (e.g., physical or remote; time needed to complete attack), attacker background knowledge, and impact on human safety. This threat assessment is used to inform all three of our approaches to automotive cybersecurity. First, we developed a set of technical automotive cybersecurity design patterns (i.e., reusable designs for specific cybersecurity problems), targeting the technical stakeholder group. Second, leveraging situational crime prevention strategies, we developed a configurable situational crime prevention framework for automotive cybersecurity where we consider both state of the art and state of the practice strategies to address vulnerabilities. Targeted stakeholders include dealerships, OEM's, and developers. Finally, we developed socio-technical design patterns that provide reusable solution strategies that engage the broader community to address automotive cybersecurity. Example stakeholders include third party vendors, automotive hobbyists, and white-hat attackers. These three strategies provide reusable solutions to be realized by a spectrum of technical and social-based activities to address automotive cybersecurity, which engages the broader community, thus increasing the overall impact and societal benefits. This dissertation takes an interdisciplinary approach to address automotive cybersecurity where we synergistically combine cybercrime theory, human factors, and technical solutions to develop reusable prevention and detection techniques.
Read
