Security & Reliability Diagnostics
SYSTEM · Zone Architecture Gateway to EV Powertrain · Rev 2.1
Critical Threats (CAL 4)
0
T-01 OTA · T-02 Bus Injection
Mitigation Coverage
0
ISO/SAE 21434 Controls
Top Event PMHF — H-01
0
FIT · Target < 10 · random HW only
Minimal Cut Sets
0
Basic Event Failure Paths
Threat Analysis & Risk Assessment (TARA)
ISO/SAE 21434
| ID | Threat Scenario | STRIDE | Impact | Feasibility | Vector | CAL | R155 A5 | Treatment | Mitigation Status |
|---|---|---|---|---|---|---|---|---|---|
| T-01 | Remote Code Execution via OTA Downgrade | T, E | Severe (4) | High (3) | Network | CAL 4 | §4.3.3 | Reduce | Secure Boot + Anti-rollback — Pending |
| T-02 | CAN FD Injection from Compromised Infotainment | S, D | Severe (4) | High (3) | Network (IVI) | CAL 4 | §4.3.2 | Reduce | SecOC (CMAC-AES-128) — Implemented |
| T-03 | BMS Firmware Extraction via Diagnostic Port | I | Major (3) | Medium (2) | Physical | CAL 2 | §4.3.6 | Reduce | UDS 0x29 Authentication — Implemented |
| T-04 | Denial of Service on Inverter Control Bus | D | Moderate (2) | Low (1) | Adjacent | CAL 2 | §4.3.2 | Retain | Rate Limiting Active — residual accepted |
| T-05 | Spoofing Sensor Data (Resolver Offset) | S, T | Severe (4) | Low (1) | Physical | CAL 2 | §4.3.2 | Reduce | Plausibility Check (ASIL D) — Implemented |
Risk Value Matrix
ISO/SAE 21434 §15.8 · Impact × Feasibility
ATTACK FEASIBILITY →
Low (1)
Med (2)
High (3)
V.High (4)
Negligible
1
1
2
2
Moderate
1
2
3
3
Major
2
3
4
4
Severe
2
3
T-01 · T-02
5
↑ IMPACT (Safety / Financial / Operational / Privacy)
Risk values drive treatment decisions (§15.9). CAL is assigned separately from impact
category and attack vector per ISO/SAE 21434 Annex E — see Vector / CAL columns in the TARA.
Fault Tree Analysis (FTA) & Minimal Cut Sets
Top Event: H-01 (Unintended Acceleration)
Unintended Torque > 2Nm (H-01)
PMHF: 7.3 FIT residual · Target ≤ 10 FIT
Hardware Random Failure
Σλres = 7.3 FIT
(incl. 0.9 FIT sensor path)
(incl. 0.9 FIT sensor path)
Inverter MCU Failure
λ = 4.2 FIT (DC = 98%)
Gate Driver Stuck-On
λ = 2.2 FIT (DC = 95%)
Systematic / Cyber Attack
Qualitative
excluded from PMHF
excluded from PMHF
Gateway Boundary Bypass
SecOC Bypass (T-02)
Torque Cmd Injection
Plausibility Check Fails
norxs · Security & Reliability Platform · Demo environment — simulated data · norxs.com
Safety × Security Co-Engineering — Trade-off Register
ISO 26262 ∩ ISO/SAE 21434
| Interaction | Security Side | Safety Side | Resolution |
|---|---|---|---|
| SecOC latency vs FTTI | CMAC-AES-128 verify: 0.18 ms per torque PDU (HSM accelerated) | Detection budget 8 ms of FTTI 100 ms — MAC verify consumes 2.3% | Accepted — latency within budget, monitored in HIL regression |
| MAC truncation vs bus load | 64-bit MAC: forgery 2⁻⁶⁴ · bus load +12%. 32-bit: +6% but weaker | CAN FD payload headroom must preserve E2E P7 fields + worst-case latency | 64-bit selected — load 61% peak < 70% design limit |
| Key rotation vs availability | SecOC freshness reset on key rollover risks transient MAC failures | Spurious frame rejection must not trip plausibility monitor (false safe-state) | Dual-key grace window 500 ms — fault tolerant time respected, in validation |
| Secure boot vs startup time | Signature + anti-rollback check adds 180 ms to boot | Torque availability requirement: ready < 2 s after KL15 | Accepted — measured cold boot 1.4 s incl. verification |
Conflicts between cybersecurity controls and safety mechanisms are tracked as interaction items and resolved jointly
per ISO 26262-2 §5.4.5.5 and ISO/SAE 21434 §5.4.2 — not negotiated after the fact.