Security Assurance Cases for Road Vehicles: an Industry Perspective
This work provides practical guidance for automotive companies to implement security assurance cases, with potential applicability to other safety-critical domains like healthcare and transportation.
The paper addresses the challenge of defining a sound methodology for security assurance cases in the automotive industry, resulting in a set of recommendations aligned with standards and internal processes based on an investigation at two large automotive companies in Sweden.
Assurance cases are structured arguments that are commonly used to reason about the safety of a product or service. Currently, there is an ongoing push towards using assurance cases for also cybersecurity, especially in safety-critical domains, like automotive. While the industry is faced with the challenge of defining a sound methodology to build security assurance cases, the state of the art is rather immature. Therefore, we have conducted a thorough investigation of the (external) constraints and (internal) needs that security assurance cases have to satisfy in the context of the automotive industry. This has been done in the context of two large automotive companies in Sweden. The end result is a set of recommendations that automotive companies can apply in order to define security assurance cases that are (i) aligned with the constraints imposed by the existing and upcoming standards and regulations and (ii)harmonized with the internal product development processes and organizational practices. We expect the results to be also of interest for product companies in other safety-critical domains, like healthcare, transportation, and so on