CN116362543A - Comprehensive risk assessment method and device integrating information security and functional security - Google Patents
Comprehensive risk assessment method and device integrating information security and functional security Download PDFInfo
- Publication number
- CN116362543A CN116362543A CN202310318711.2A CN202310318711A CN116362543A CN 116362543 A CN116362543 A CN 116362543A CN 202310318711 A CN202310318711 A CN 202310318711A CN 116362543 A CN116362543 A CN 116362543A
- Authority
- CN
- China
- Prior art keywords
- information security
- security
- safety
- information
- functional
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 66
- 238000012502 risk assessment Methods 0.000 title claims abstract description 43
- 238000001514 detection method Methods 0.000 claims abstract description 37
- 231100000279 safety data Toxicity 0.000 claims abstract description 37
- 239000011159 matrix material Substances 0.000 claims abstract description 17
- 238000011156 evaluation Methods 0.000 claims abstract description 16
- 238000004458 analytical method Methods 0.000 claims description 13
- 230000006378 damage Effects 0.000 claims description 13
- 230000008569 process Effects 0.000 claims description 9
- 238000012360 testing method Methods 0.000 claims description 6
- 230000000149 penetrating effect Effects 0.000 claims description 3
- 235000017399 Caesalpinia tinctoria Nutrition 0.000 claims 3
- 241000388430 Tara Species 0.000 claims 3
- 238000005516 engineering process Methods 0.000 abstract description 7
- 230000004044 response Effects 0.000 abstract description 3
- 230000005540 biological transmission Effects 0.000 description 4
- 230000003044 adaptive effect Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 102100034112 Alkyldihydroxyacetonephosphate synthase, peroxisomal Human genes 0.000 description 2
- 101000799143 Homo sapiens Alkyldihydroxyacetonephosphate synthase, peroxisomal Proteins 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000000848 angular dependent Auger electron spectroscopy Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 208000027418 Wounds and injury Diseases 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 208000014674 injury Diseases 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/40—Business processes related to the transportation industry
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Economics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Strategic Management (AREA)
- General Physics & Mathematics (AREA)
- Entrepreneurship & Innovation (AREA)
- Marketing (AREA)
- Software Systems (AREA)
- General Business, Economics & Management (AREA)
- Tourism & Hospitality (AREA)
- Operations Research (AREA)
- Game Theory and Decision Science (AREA)
- Educational Administration (AREA)
- Computing Systems (AREA)
- Development Economics (AREA)
- Quality & Reliability (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Primary Health Care (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The invention relates to a comprehensive risk assessment method and a device for integrating information security and functional security, wherein the method comprises the following steps: acquiring a part which needs to be subjected to safety detection in a vehicle; determining, from the component, a damaged asset corresponding to the component, the damaged asset including a first damaged asset associated with personal information or vehicle information and a second damaged asset capable of affecting functional safety of the vehicle; obtaining information security data corresponding to the damaged asset according to the damaged asset; obtaining functional safety data corresponding to the second damaged asset according to the second damaged asset; and setting the overall safety information corresponding to the information safety data and the functional safety data based on an overall risk matrix operation method so as to obtain an overall risk evaluation standard and realize the safety overall evaluation of the automatic driving of the vehicle. The comprehensive assessment of the safety risk of the automatic driving technology is realized by simultaneously assessing the information safety and the functional safety, and a decision basis is provided for finer-granularity early warning and response measures.
Description
Technical Field
The invention relates to the technical field of automatic driving, in particular to a comprehensive risk assessment method and device integrating information safety and functional safety.
Background
With the development of advanced driving assistance systems of automatic driving technology, the safety requirements for road vehicles are becoming more and more comprehensive and specific. The security risk assessment method for road vehicles is required to be capable of assessing information security and functional security simultaneously. The traditional information security assessment method mainly comprises the steps of system hardware and software security, and lacks assessment on vehicle function security; the functional safety assessment method mainly focuses on the functional safety of the vehicle and lacks assessment on information safety.
The information security problem does not lead to new potential safety hazards (i.e., new unsafe conditions), but changes the probability of occurrence of existing potential hazards, and even makes it possible to consider the potential hazards that were not possible to occur before. Therefore, in the process of system design, both information security and functional security must be considered.
Therefore, there is a need to provide a comprehensive risk assessment method for comprehensively assessing information safety and functional safety risk of an automatic driving technology and early warning about the influence thereof on functional safety when an information safety event occurs, so as to solve the above-mentioned technical problems.
Disclosure of Invention
In order to solve the technical problems, the invention provides a comprehensive risk assessment method integrating information security and functional security. The technical problem that in the prior art, the automatic driving technology assessment mainly focuses on vehicle function safety assessment, and the automatic driving safety assessment has limitation due to the lack of information safety assessment is solved.
The technical effects of the invention are realized by the following steps:
a comprehensive risk assessment method integrating information security and functional security comprises the following steps:
acquiring a part needing to be subjected to safety detection in a vehicle, wherein the part is a module or a device needing to be scheduled for realizing automatic driving;
determining, from the component, a damaged asset corresponding to the component, the damaged asset including a first damaged asset associated with personal information or vehicle information and a second damaged asset capable of affecting functional safety of the vehicle;
obtaining information security data corresponding to the damaged asset according to the damaged asset, wherein the information security data comprises information security vulnerabilities and corresponding information security risk values thereof, and the information security vulnerabilities are vulnerabilities of attackers penetrating into a vehicle system through an information security attack path;
obtaining functional safety data corresponding to the second damaged asset according to the second damaged asset, wherein the functional safety data comprises a failure mode and a functional safety risk value;
and setting the overall safety information corresponding to the information safety data and the functional safety data based on an overall risk matrix operation method so as to obtain an overall risk evaluation standard and realize the safety overall evaluation of the automatic driving of the vehicle. The method comprises the steps of constructing an overall safety risk matrix of comprehensive functional safety risks and information safety risks, integrating comprehensive risk assessment of automatic driving information safety and functional safety, realizing comprehensive assessment of safety risks of an automatic driving technology, and simultaneously providing decision basis for early warning and response measures with finer granularity
Further, obtaining information security data corresponding to the damaged asset according to the damaged asset, including:
obtaining the influence level of the damage asset on safety, finance, operation and privacy according to the information security holes of the damage asset based on a TARA analysis method,
and determining the information security risk value when the information security vulnerability occurs according to the influence level on security, finance, operation and privacy under the corresponding threat scene so as to obtain a TARA table comprising the corresponding relation between the information security vulnerability and the information security risk value.
Further, obtaining functional safety data corresponding to the second damaged asset according to the second damaged asset, including:
the corresponding severity, exposure and controllability of the second damaged asset is obtained according to each failure mode of the second damaged asset based on the HARA analysis method,
and determining the functional safety risk value according to the severity, the exposure rate and the controllability under the corresponding failure mode so as to obtain the HARA table comprising the corresponding relation between the failure mode and the functional safety risk value.
Further, the method further comprises the following steps:
obtaining a corresponding information security attack path and an attack feasibility level corresponding to the information security attack path according to the information security vulnerability, wherein one information security vulnerability corresponds to one or more information security attack paths;
and obtaining the corresponding information security risk value of the damaged asset under different information security vulnerability scenes and information security attack path conditions according to the influence level of the information security vulnerability on security, finance, operation and privacy and the attack feasibility level corresponding to the information security attack path so as to obtain a final information security risk value.
Further, setting overall safety information corresponding to the information safety data and the functional safety data based on an overall risk matrix operation method to obtain an overall risk assessment standard to realize the safety overall assessment of automatic driving of the vehicle, and then comprising the following steps:
deploying a first detection module on a vehicle or cloud to detect information security vulnerabilities causing damage to the damaged asset;
wherein the first detection module corresponds to one or more of the damaged assets;
further, deploying the first detection module at the vehicle or cloud, and then comprising:
acquiring target damaged assets with information security threat and corresponding target information security holes of the target damaged assets;
and determining a corresponding information security risk value according to the target information security vulnerability based on the TARA table.
Further, setting overall safety information corresponding to the information safety data and the functional safety data based on an overall risk matrix operation method to obtain an overall risk assessment standard to realize the safety overall assessment of automatic driving of the vehicle, and then further comprising:
deploying a second detection module at the vehicle's electronics to detect a failure mode caused by the second damaged asset affecting the vehicle's functional safety;
wherein the second detection module corresponds to one or more failure modes that occur based on the electronic device failure.
Further, deploying the second detection module at the electronics of the vehicle, then comprising:
acquiring a target electronic device with functional safety failure and a corresponding target failure mode of the target electronic device;
and determining a corresponding functional safety risk value according to the target failure mode based on the HARA table.
Further, determining a corresponding functional security risk value according to the target failure mode based on the HARA table, and then includes:
and obtaining a comprehensive risk value according to the functional safety risk value and the information safety risk value detected in the automatic driving test process based on the comprehensive risk evaluation standard so as to comprehensively evaluate the automatic driving safety performance of the current vehicle. The method comprises the steps that a first detection module and a second detection module are respectively arranged at corresponding positions based on a data transmission mode in a vehicle and an electric framework of the vehicle, so that information security holes corresponding to damaged assets and whether corresponding failure modes occur to vehicle electronic devices with functional failure hidden dangers can be detected simultaneously in the automatic driving test process of the vehicle, and the detected information security holes and the detected failure modes are converted into functional security risk values and information security risk values based on a TARA table and a HARA table so as to comprehensively evaluate the automatic driving security performance of the vehicle.
In addition, a comprehensive risk assessment device integrating information security and functional security is also provided, which comprises:
component acquisition module: the device comprises a module or a device for acquiring a part which needs to be subjected to safety detection in a vehicle, wherein the module or the device is used for realizing automatic driving and needs to be scheduled;
a damaged asset determination module: determining from the component a damaged asset corresponding to the component, the damaged asset comprising a first damaged asset associated with personal or vehicle information and a second damaged asset capable of affecting functional safety of the vehicle;
and the information security determining module is used for: the method comprises the steps that information security data corresponding to damaged assets are obtained according to the damaged assets, the information security data comprise information security vulnerabilities and corresponding information security risk values, and the information security vulnerabilities are vulnerabilities for an attacker to invade the inside of a vehicle system through an information security attack path;
functional safety determination module: the method comprises the steps of obtaining functional safety data corresponding to a second damaged asset according to the second damaged asset, wherein the functional safety data comprises a failure mode and a functional safety risk value;
comprehensive risk assessment module: the method is used for setting the overall safety information corresponding to the information safety data and the functional safety data based on the overall risk matrix operation method so as to obtain the comprehensive risk assessment standard and realize the comprehensive assessment of the safety of the automatic driving of the vehicle.
As described above, the invention has the following beneficial effects:
1) The method comprises the steps of constructing an overall safety risk matrix of comprehensive functional safety risks and information safety risks, integrating comprehensive risk assessment of automatic driving information safety and functional safety, realizing comprehensive assessment of safety risks of an automatic driving technology, and providing decision basis for early warning and response measures with finer granularity.
2) The method comprises the steps that a first detection module and a second detection module are respectively arranged at corresponding positions based on a data transmission mode in a vehicle and an electric framework of the vehicle, so that information security holes corresponding to damaged assets and whether corresponding failure modes occur to vehicle electronic devices with functional failure hidden dangers can be detected simultaneously in the automatic driving test process of the vehicle, and the detected information security holes and the detected failure modes are converted into functional security risk values and information security risk values based on a TARA table and a HARA table so as to comprehensively evaluate the automatic driving security performance of the vehicle.
Drawings
In order to more clearly illustrate the technical solution of the present invention, the following description will make a brief introduction to the drawings used in the description of the embodiments or the prior art. It should be apparent that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained from these drawings without inventive effort to those of ordinary skill in the art.
FIG. 1 is a flowchart of a comprehensive risk assessment method for integrating information security and functional security according to an embodiment of the present disclosure;
fig. 2 is a corresponding relationship between an information security risk value and an impact level of a threat scenario and attack feasibility of a related attack path provided in the embodiment of the present disclosure;
FIG. 3 is a diagram illustrating a security impact assessment criterion provided by an embodiment of the present disclosure;
FIG. 4 is a financial impact assessment criteria provided by an embodiment of the present description;
FIG. 5 is an operational impact assessment criteria provided by an embodiment of the present description;
FIG. 6 is a privacy impact assessment criteria provided by an embodiment of the present description;
FIG. 7 is a calculation standard for the total score of impact provided in the embodiments of the present specification;
FIG. 8 is a decision criterion for the attack feasibility class provided by the embodiments of the present description;
FIG. 9 is a table of levels of severity, exposure, and controllability, each of which is provided by embodiments of the present disclosure;
FIG. 10 is a table of ASIL class calculation criteria provided in the examples of the present specification;
FIG. 11 is a table of comprehensive risk assessment criteria set based on the overall risk matrix calculation method according to the embodiment of the present disclosure;
FIG. 12 is a correspondence between the integrated risk values provided in the embodiments of the present disclosure and evaluating the autopilot safety performance of a current vehicle;
fig. 13 is a block diagram of an integrated risk assessment device for integrating information security and functional security according to an embodiment of the present disclosure.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1:
as shown in fig. 1, the embodiment of the present disclosure provides a comprehensive risk assessment method for integrating information security and functional security, including:
s100: acquiring a part needing to be subjected to safety detection in a vehicle, wherein the part is a module or a device needing to be scheduled for realizing automatic driving;
the components comprise modules or devices for realizing data transmission on a vehicle or a cloud, and when the transmission process is abnormal, the transmitted data are defined as damaged assets which influence the safety of information functions.
In this embodiment, the evaluation criteria of the safety performance of the automatic driving technique of the vehicle are evaluated from two aspects of functional safety and information safety, so that the safety performance of the vehicle is evaluated by determining the information safety risks corresponding to all threat scenes affecting the information safety and the corresponding functional safety risks of all failure modes affecting the functional safety to obtain the criteria of overall safety risks capable of comprehensively evaluating the safety level of the automatic driving technique, so that the safety performance of the vehicle is evaluated by comparing the corresponding scenes of the vehicle in the automatic driving test process with the threat scenes or the failure modes.
S200: determining, from the component, a damaged asset corresponding to the component, the damaged asset including a first damaged asset associated with personal information or vehicle information and a second damaged asset capable of affecting functional safety of the vehicle;
wherein the first damaged asset includes, but is not limited to: assets related to personal information of the user or other car information security; the second damaged asset includes, but is not limited to: entity, software or data asset implemented using electro-electronic technology with safe operation of the vehicle.
The second damage resource can act on the electronic device of the vehicle to influence the normal running state of the electronic device, thereby causing the safety risk of the vehicle function.
S300: obtaining information security data corresponding to the damaged asset according to the damaged asset, wherein the information security data comprises information security vulnerabilities and corresponding information security risk values thereof, and the information security vulnerabilities are vulnerabilities of attackers penetrating into a vehicle system through an information security attack path;
in a specific embodiment, obtaining information security data corresponding to the damaged asset according to the damaged asset includes:
obtaining the influence level of the damage asset on safety, finance, operation and privacy according to the information security holes of the damage asset based on a TARA analysis method,
and determining the information security risk value when the information security vulnerability occurs according to the influence level on security, finance, operation and privacy under the corresponding threat scene so as to obtain a TARA table comprising the corresponding relation between the information security vulnerability and the information security risk value.
Specifically, TARA (ThreatAnalysisandRiskAssessment) is threat analysis and risk assessment, and is mainly used to identify and assess potential threats in intelligent networked automobile systems, and to assess corresponding risks. Accordingly, the TARA table contains assets, threat scenarios, and corresponding information security risk values. The definition of the asset, the threat scene and the information security risk value is as follows:
assets: identifying and evaluating important resources, assets and data of a system or organization to determine its importance to security;
threat scenario: identifying threats and scenarios that may impact the asset based on the asset and security requirements; information security risk value:
the risk of each asset is evaluated based on the impact and probability of the threat scenario to identify potential risks and decisions as to whether further management and control is needed.
Specifically, information security evaluates the impact level of damage scenarios to road users based on four impact categories of security, finance, operations, and privacy (S, F, 0, P, respectively).
As shown in fig. 2, the impact level of the damage scenario should be determined as one of the following impact categories: very severe; severe; medium; negligible.
Wherein, as shown in fig. 3-6, the relevant effects of finance, operations, and privacy may be rated according to the TARA table given in ISO 21434; the safety is evaluated according to ASIL grade evaluation standards corresponding to the functional safety.
For example, one threat scenario corresponding to ACC (adaptive cruise system) is that an attacker uses counterfeit chassis domain data to perform a spoofing attack on the IFC, so that the IFC obtains incorrect chassis domain data, the authenticity is infringed, and the IFC is caused to receive data abnormally.
According to the scene, the influence level of the scene on safety can be determined to be medium, and the corresponding score value is determined to be 3 based on ASIL level evaluation standards.
The analysis determines that the grade of the influence on the finance is medium, and the corresponding score is determined to be 3 based on the finance influence evaluation standard; analyzing and determining that the influence level of the operation is significant, and determining that the corresponding score is 6 based on the operation influence evaluation standard; the analysis determines that the privacy impact level is moderate, and the corresponding score is 3 based on the privacy impact assessment criteria.
As shown in fig. 7, the total impact score of 57, a medium grade, is obtained from four scores corresponding to security, finance, operation, and privacy based on the TARA table.
In a specific embodiment, the comprehensive risk assessment method of the present application further includes:
obtaining a corresponding information security attack path and an attack feasibility level corresponding to the information security attack path according to the information security vulnerability, wherein one information security vulnerability corresponds to one or more information security attack paths;
and obtaining the corresponding information security risk value of the damaged asset under different information security vulnerability scenes and information security attack path conditions according to the influence level of the information security vulnerability on security, finance, operation and privacy and the attack feasibility level corresponding to the information security attack path so as to obtain a final information security risk value.
Specifically, the threat scenario of the information security vulnerability corresponds to one or more attack paths. Different ways (such as an attack tree, an attack graph and a bottom-up method) for realizing the threat scene are analyzed, so that vulnerabilities are identified to construct an attack path, and the attack path causing the threat scene is determined.
For each attack path, the attack feasibility level should be determined as illustrated in fig. 8.
For each threat scene, the information security risk values of the threat scenes corresponding to different attack paths are comprehensively determined according to the influence level of the threat scenes and the attack feasibility of the relevant attack paths.
The resulting threat scenario information security risk value should be between (including) 1 and 5, where value 1 represents the minimum risk.
S400: obtaining functional safety data corresponding to the second damaged asset according to the second damaged asset, wherein the functional safety data comprises a failure mode and a functional safety risk value;
in a specific embodiment, obtaining functional safety data corresponding to the second damaged asset according to the second damaged asset includes:
the corresponding severity, exposure and controllability of the second damaged asset is obtained according to each failure mode of the second damaged asset based on the HARA analysis method,
and determining the functional safety risk value according to the severity, the exposure rate and the controllability under the corresponding failure mode so as to obtain the HARA table comprising the corresponding relation between the failure mode and the functional safety risk value.
In particular, HARA (Hazardanalysisandriskassessment) is hazard analysis and risk assessment, with the aim of identifying and classifying hazards of items, creating a security objective that must be met in order to prevent or reduce these hazards, to avoid unreasonable risks. Accordingly, the HARA table contains relevant items, affected functions, failure modes, and corresponding function security ASIL levels. The definition of the asset, the threat scene and the information security risk value is as follows:
related items: representing the equipment, components, systems, etc. in the project that need to be evaluated;
affected functions: a function indicating a possible failure of the item;
failure mode: representing possible failure conditions of the project, such as faults, defects, attacks, etc.;
corresponding functional security ASIL levels: indicating the degree of security impact of the item.
In particular, the electronic devices associated with functional safety correspond to one or several potential failure modes, each of which needs to be considered from three aspects: severity, exposure rate and controllability as shown in fig. 9, the ASIL rating is set according to the degree in three aspects, i.e., the scores in three aspects in ISO26262, and a HARA table can be obtained as shown in fig. 10.
The severity represents the injury degree of the consequences of the fault to traffic participants such as drivers and pedestrians, and the controllability represents the capability of the drivers and the pedestrians to control and avoid risks. Since severity and controllability are closely related to the scene where the failure occurs (e.g., failure of the same one cruise vehicle speed control failure occurs more severely on rainy and snowy days than on sunny days), HARA analysis (hazard analysis and risk assessment) needs to consider the probability of occurrence of the scene, i.e., the exposure rate.
Query the HARA table according to the severity, exposure rate and controllability scores, and obtain the ASIL level corresponding to the failure mode. For the same failure problem, i.e. potential failure mode, the obtained ASIL levels are different due to different considered failure scenarios, and the maximum ASIL level should be selected as the ASIL level of the failure mode.
ASIL grades are rated on four scale A, B, C, D, with higher grades indicating more serious safety issues for this failure mode. If there is no security problem, the ASIL class is QM. Wherein, ASIL grade is the functional safety risk in this application.
For example, one failure mode of ACC (adaptive cruise system) is loss of sensor speed measurement, and according to analysis, it is determined that its corresponding severity is S2, exposure is E2, controllability is C2, and according to the HARA table shown in fig. 10, the corresponding ASIL level is QM.
S500: and setting the overall safety information corresponding to the information safety data and the functional safety data based on an overall risk matrix operation method so as to obtain an overall risk evaluation standard and realize the safety overall evaluation of the automatic driving of the vehicle.
Specifically, as shown in fig. 11, mapping the functional security ASIL level to a number of 1 to 5, i.e., qm→1, a→2, b→3, c→4, d→5, then the overall security information is determined. I.e. the overall security risk takes the maximum of the information security risk value and the functional security risk value, i.e. overall security risk = max (information security risk value, ASIL level).
The overall security risk matrix shown in fig. 11 integrates the information security risk value and the functional security ASIL level, and any risk or hazard level is high, which results in an increase in the overall risk value.
In a specific embodiment, step S500 sets overall safety information corresponding to the information safety data and the functional safety data based on an overall risk matrix operation method, so as to obtain an overall risk assessment standard to implement an overall assessment of safety of automatic driving of the vehicle, and then includes:
deploying a first detection module on a vehicle or cloud to detect information security vulnerabilities causing damage to the damaged asset;
wherein the first detection module corresponds to one or more of the damaged assets;
in a specific embodiment, step S500 sets overall safety information corresponding to the information safety data and the functional safety data based on an overall risk matrix operation method, so as to obtain an overall risk assessment standard to implement an overall assessment of safety of automatic driving of the vehicle, and then further includes:
deploying a second detection module at the vehicle's electronics to detect a failure mode caused by the second damaged asset affecting the vehicle's functional safety;
wherein the second detection module corresponds to one or more failure modes that occur based on the electronic device failure.
Specifically, based on an electronic and electric architecture diagram, a model, a physical component and the like of the vehicle, components where detection modules need to be deployed are determined, a plurality of detection modules are collocated and divided, and a deployment position of each detection module is determined. The detection module comprises a first detection module and a second detection module.
The first detection module is used for detecting damaged assets corresponding to threat scenes of the information security vulnerabilities, so that characteristic recognition attack paths when the damaged assets occur are analyzed;
the second detection module analyzes failure modes caused by the corresponding electronic devices by detecting the failure states of the corresponding electronic devices.
In a specific embodiment, the first detection module is deployed on a vehicle or a cloud, and then comprises:
acquiring target damaged assets with information security threat and corresponding target information security holes of the target damaged assets;
and determining a corresponding information security risk value according to the target information security vulnerability based on the TARA table.
In a specific embodiment, the second detection module is deployed in the electronics of the vehicle, and then comprises:
acquiring a target electronic device with functional safety failure and a corresponding target failure mode of the target electronic device;
and determining a corresponding functional safety risk value according to the target failure mode based on the HARA table.
In a specific embodiment, determining a corresponding functional security risk value according to the target failure mode based on the HARA table, and then includes:
and obtaining a comprehensive risk value according to the functional safety risk value and the information safety risk value detected in the automatic driving test process based on the comprehensive risk evaluation standard so as to comprehensively evaluate the automatic driving safety performance of the current vehicle, as shown in fig. 12.
For example, ACC (adaptive cruise system) is subject to replay attacks. The threat scene is a security event that an attacker uses counterfeit ADAS domain data to fraudulently attack the EMS, so that the EMS obtains wrong ADAS domain data, the authenticity is infringed, the data received by the EMS is abnormal, and the vehicle is caused to collide accidentally, the attack path is OBD- > EMS, and the information security risk value is 3.
The corresponding failure mode is that the control system of the vehicle is attacked by information security, the ASIL grade is C, and the ASIL grade can be mapped as follows: the functional safety risk value is 4.
And obtaining the comprehensive risk value as max (3, 4) =4 according to the information security risk value and the functional security risk value.
As shown in fig. 13, the embodiment of the present disclosure provides an integrated risk assessment device for integrating information security and functional security, including:
component acquisition module 1301: the device comprises a module or a device for acquiring a part which needs to be subjected to safety detection in a vehicle, wherein the module or the device is used for realizing automatic driving and needs to be scheduled;
the damaged asset determination module 1302: determining from the component a damaged asset corresponding to the component, the damaged asset comprising a first damaged asset associated with personal or vehicle information and a second damaged asset capable of affecting functional safety of the vehicle;
information security determination module 1303: the method comprises the steps that information security data corresponding to damaged assets are obtained according to the damaged assets, the information security data comprise information security vulnerabilities and corresponding information security risk values, and the information security vulnerabilities are vulnerabilities for an attacker to invade the inside of a vehicle system through an information security attack path;
functional safety determination module 1304: the method comprises the steps of obtaining functional safety data corresponding to a second damaged asset according to the second damaged asset, wherein the functional safety data comprises a failure mode and a functional safety risk value;
the comprehensive risk assessment module 1305: the method is used for setting the overall safety information corresponding to the information safety data and the functional safety data based on the overall risk matrix operation method so as to obtain the comprehensive risk assessment standard and realize the comprehensive assessment of the safety of the automatic driving of the vehicle.
While the invention has been described in terms of preferred embodiments, the invention is not limited to the embodiments described herein, but encompasses various changes and modifications that may be made without departing from the scope of the invention.
The embodiments and features of the embodiments described herein can be combined with each other without conflict.
The above disclosure is only a preferred embodiment of the present invention, and it is needless to say that the scope of the invention is not limited thereto, and therefore, the equivalent changes according to the claims of the present invention still fall within the scope of the present invention.
Claims (10)
1. The comprehensive risk assessment method integrating information security and functional security is characterized by comprising the following steps:
acquiring a part needing to be subjected to safety detection in a vehicle, wherein the part is a module or a device needing to be scheduled for realizing automatic driving;
determining, from the component, a damaged asset corresponding to the component, the damaged asset including a first damaged asset associated with personal information or vehicle information and a second damaged asset capable of affecting functional safety of the vehicle;
obtaining information security data corresponding to the damaged asset according to the damaged asset, wherein the information security data comprises information security vulnerabilities and corresponding information security risk values thereof, and the information security vulnerabilities are vulnerabilities of attackers penetrating into a vehicle system through an information security attack path;
obtaining functional safety data corresponding to the second damaged asset according to the second damaged asset, wherein the functional safety data comprises a failure mode and a functional safety risk value;
and setting the overall safety information corresponding to the information safety data and the functional safety data based on an overall risk matrix operation method so as to obtain an overall risk evaluation standard and realize the safety overall evaluation of the automatic driving of the vehicle.
2. The integrated risk assessment method of integrating information security and functional security of claim 1, wherein obtaining information security data corresponding to the damaged asset from the damaged asset comprises:
obtaining the influence level of the damage asset on safety, finance, operation and privacy according to the information security holes of the damage asset based on a TARA analysis method,
and determining the information security risk value when the information security vulnerability occurs according to the influence level on security, finance, operation and privacy under the corresponding threat scene so as to obtain a TARA table comprising the corresponding relation between the information security vulnerability and the information security risk value.
3. The method of integrated risk assessment of information security and functional security of claim 1, wherein obtaining functional security data corresponding to the second damaged asset from the second damaged asset comprises:
the corresponding severity, exposure and controllability of the second damaged asset is obtained according to each failure mode of the second damaged asset based on the HARA analysis method,
and determining the functional safety risk value according to the severity, the exposure rate and the controllability under the corresponding failure mode so as to obtain the HARA table comprising the corresponding relation between the failure mode and the functional safety risk value.
4. The integrated risk assessment method for information security and functional security according to claim 2 or 3, further comprising:
obtaining a corresponding information security attack path and an attack feasibility level corresponding to the information security attack path according to the information security vulnerability, wherein one information security vulnerability corresponds to one or more information security attack paths;
and obtaining the corresponding information security risk value of the damaged asset under different information security vulnerability scenes and information security attack path conditions according to the influence level of the information security vulnerability on security, finance, operation and privacy and the attack feasibility level corresponding to the information security attack path so as to obtain a final information security risk value.
5. The integrated risk assessment method for integrating information security and functional security according to claim 4, wherein setting the integrated security information corresponding to the information security data and the functional security data based on an integrated risk matrix operation method to obtain an integrated risk assessment standard to realize an integrated assessment of the security of the automatic driving of the vehicle, and then comprising:
deploying a first detection module on a vehicle or cloud to detect information security vulnerabilities causing damage to the damaged asset;
wherein the first detection module corresponds to one or more of the damaged assets.
6. The method for integrated risk assessment of information security and functional security according to claim 5, wherein deploying the first detection module in the vehicle or cloud comprises:
acquiring target damaged assets with information security threat and corresponding target information security holes of the target damaged assets;
and determining a corresponding information security risk value according to the target information security vulnerability based on the TARA table.
7. The integrated risk assessment method for information security and functional security according to claim 5 or 6, wherein the integrated risk assessment method is characterized in that the integrated risk assessment method is based on an integrated risk matrix operation method to set the integrated security information corresponding to the information security data and the functional security data so as to obtain an integrated risk assessment standard to realize the integrated security assessment of the automatic driving of the vehicle, and further comprises:
deploying a second detection module at the vehicle's electronics to detect a failure mode caused by the second damaged asset affecting the vehicle's functional safety;
wherein the second detection module corresponds to one or more failure modes that occur based on the electronic device failure.
8. The method for integrated risk assessment of information security and functional security of claim 7, wherein deploying the second detection module at the vehicle electronics, then comprises:
acquiring a target electronic device with functional safety failure and a corresponding target failure mode of the target electronic device;
and determining a corresponding functional safety risk value according to the target failure mode based on the HARA table.
9. The method of claim 8, wherein determining a corresponding functional security risk value from the target failure mode based on the HARA table, and then comprises:
and obtaining a comprehensive risk value according to the functional safety risk value and the information safety risk value detected in the automatic driving test process based on the comprehensive risk evaluation standard so as to comprehensively evaluate the automatic driving safety performance of the current vehicle.
10. An integrated risk assessment device integrating information security and functional security, comprising:
component acquisition module: the device comprises a module or a device for acquiring a part which needs to be subjected to safety detection in a vehicle, wherein the module or the device is used for realizing automatic driving and needs to be scheduled;
a damaged asset determination module: determining from the component a damaged asset corresponding to the component, the damaged asset comprising a first damaged asset associated with personal or vehicle information and a second damaged asset capable of affecting functional safety of the vehicle;
and the information security determining module is used for: the method comprises the steps that information security data corresponding to damaged assets are obtained according to the damaged assets, the information security data comprise information security vulnerabilities and corresponding information security risk values, and the information security vulnerabilities are vulnerabilities for an attacker to invade the inside of a vehicle system through an information security attack path;
functional safety determination module: the method comprises the steps of obtaining functional safety data corresponding to a second damaged asset according to the second damaged asset, wherein the functional safety data comprises a failure mode and a functional safety risk value;
comprehensive risk assessment module: the method is used for setting the overall safety information corresponding to the information safety data and the functional safety data based on the overall risk matrix operation method so as to obtain the comprehensive risk assessment standard and realize the comprehensive assessment of the safety of the automatic driving of the vehicle.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310318711.2A CN116362543A (en) | 2023-03-27 | 2023-03-27 | Comprehensive risk assessment method and device integrating information security and functional security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310318711.2A CN116362543A (en) | 2023-03-27 | 2023-03-27 | Comprehensive risk assessment method and device integrating information security and functional security |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116362543A true CN116362543A (en) | 2023-06-30 |
Family
ID=86918852
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310318711.2A Pending CN116362543A (en) | 2023-03-27 | 2023-03-27 | Comprehensive risk assessment method and device integrating information security and functional security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116362543A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117579388A (en) * | 2024-01-16 | 2024-02-20 | 北京源堡科技有限公司 | Risk assessment method, system, equipment and medium for intelligent network interconnection industrial control system |
-
2023
- 2023-03-27 CN CN202310318711.2A patent/CN116362543A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117579388A (en) * | 2024-01-16 | 2024-02-20 | 北京源堡科技有限公司 | Risk assessment method, system, equipment and medium for intelligent network interconnection industrial control system |
| CN117579388B (en) * | 2024-01-16 | 2024-04-05 | 北京源堡科技有限公司 | Risk assessment method, system, equipment and medium for intelligent network interconnection industrial control system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106080655B (en) | A kind of detection method, device and the train of train axle temperature exception | |
| CN110807196B (en) | Car networking leak public survey system | |
| CN106828362B (en) | Safety testing method and device for automobile information | |
| US20090106843A1 (en) | Security risk evaluation method for effective threat management | |
| CN104348827A (en) | Feature based three stage neural networks intrusion detection method and system | |
| CN113434866B (en) | Unified risk quantitative evaluation method for instrument function safety and information safety strategies | |
| CN111401416A (en) | Abnormal website identification method and device and abnormal countermeasure identification method | |
| US11343267B2 (en) | Threat monitor, threat monitoring method, and recording medium therefore | |
| CN113032792A (en) | System service vulnerability detection method, system, equipment and storage medium | |
| CN112751831B (en) | Automobile vulnerability classification and processing method, device, equipment and readable storage medium | |
| CN116362543A (en) | Comprehensive risk assessment method and device integrating information security and functional security | |
| CN111126832A (en) | Automobile information safety test evaluation method | |
| CN113472800A (en) | Automobile network security risk assessment method and device, storage medium and electronic equipment | |
| CN116016198B (en) | Industrial control network topology security assessment method and device and computer equipment | |
| CN110287703B (en) | Method and device for detecting vehicle safety risk | |
| CN111756842A (en) | Method and device for detecting vulnerability of Internet of vehicles and computer equipment | |
| CN112287345B (en) | Trusted edge computing system based on intelligent risk detection | |
| CN114499919A (en) | Method and system for modeling engineering machinery communication safety network threat | |
| CN111784404B (en) | Abnormal asset identification method based on behavior variable prediction | |
| CN115659351B (en) | Information security analysis method, system and equipment based on big data office | |
| CN117034299A (en) | Intelligent contract safety detection system based on block chain | |
| CN113268738B (en) | Intelligent automobile information security vulnerability assessment method and system | |
| CN114884735A (en) | Multisource data intelligent evaluation system based on security situation | |
| CN109324985A (en) | A kind of SQL injection recognition methods of the automatic adaptation scene based on machine learning | |
| CN113807723A (en) | Risk identification method for knowledge graph |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |