Automotive Safety & Cybersecurity Engineering Platform
System Live
Contact Expert
DM
Critical Threats (CAL 4)
0
T-01 OTA · T-02 Bus Injection
Mitigation Coverage
0
ISO/SAE 21434 Controls
Top Event PMHF — H-01
0
FIT · Target < 10 · random HW only
Minimal Cut Sets
0
Basic Event Failure Paths
Threat Analysis & Risk Assessment (TARA)
ISO/SAE 21434
ID Threat Scenario STRIDE Impact Feasibility Vector CAL R155 A5 Treatment Mitigation Status
T-01 Remote Code Execution via OTA Downgrade T, E Severe (4) High (3) Network CAL 4 §4.3.3 Reduce Secure Boot + Anti-rollback — Pending
T-02 CAN FD Injection from Compromised Infotainment S, D Severe (4) High (3) Network (IVI) CAL 4 §4.3.2 Reduce SecOC (CMAC-AES-128) — Implemented
T-03 BMS Firmware Extraction via Diagnostic Port I Major (3) Medium (2) Physical CAL 2 §4.3.6 Reduce UDS 0x29 Authentication — Implemented
T-04 Denial of Service on Inverter Control Bus D Moderate (2) Low (1) Adjacent CAL 2 §4.3.2 Retain Rate Limiting Active — residual accepted
T-05 Spoofing Sensor Data (Resolver Offset) S, T Severe (4) Low (1) Physical CAL 2 §4.3.2 Reduce Plausibility Check (ASIL D) — Implemented
Risk Value Matrix
ISO/SAE 21434 §15.8 · Impact × Feasibility
ATTACK FEASIBILITY →
Low (1)
Med (2)
High (3)
V.High (4)
Negligible
1
1
2
2
Moderate
1
2
3
3
Major
2
3
4
4
Severe
2
3
T-01 · T-02
5
↑ IMPACT (Safety / Financial / Operational / Privacy)
Risk values drive treatment decisions (§15.9). CAL is assigned separately from impact category and attack vector per ISO/SAE 21434 Annex E — see Vector / CAL columns in the TARA.
Fault Tree Analysis (FTA) & Minimal Cut Sets
Top Event: H-01 (Unintended Acceleration)
Unintended Torque > 2Nm (H-01)
PMHF: 7.3 FIT residual · Target ≤ 10 FIT
Hardware Random Failure
Σλres = 7.3 FIT
(incl. 0.9 FIT sensor path)
Inverter MCU Failure
λ = 4.2 FIT (DC = 98%)
Gate Driver Stuck-On
λ = 2.2 FIT (DC = 95%)
Systematic / Cyber Attack
Qualitative
excluded from PMHF
Gateway Boundary Bypass
SecOC Bypass (T-02)
Torque Cmd Injection
Plausibility Check Fails
norxs · Security & Reliability Platform · Demo environment — simulated data · norxs.com
Safety × Security Co-Engineering — Trade-off Register
ISO 26262 ∩ ISO/SAE 21434
InteractionSecurity SideSafety SideResolution
SecOC latency vs FTTI CMAC-AES-128 verify: 0.18 ms per torque PDU (HSM accelerated) Detection budget 8 ms of FTTI 100 ms — MAC verify consumes 2.3% Accepted — latency within budget, monitored in HIL regression
MAC truncation vs bus load 64-bit MAC: forgery 2⁻⁶⁴ · bus load +12%. 32-bit: +6% but weaker CAN FD payload headroom must preserve E2E P7 fields + worst-case latency 64-bit selected — load 61% peak < 70% design limit
Key rotation vs availability SecOC freshness reset on key rollover risks transient MAC failures Spurious frame rejection must not trip plausibility monitor (false safe-state) Dual-key grace window 500 ms — fault tolerant time respected, in validation
Secure boot vs startup time Signature + anti-rollback check adds 180 ms to boot Torque availability requirement: ready < 2 s after KL15 Accepted — measured cold boot 1.4 s incl. verification
Conflicts between cybersecurity controls and safety mechanisms are tracked as interaction items and resolved jointly per ISO 26262-2 §5.4.5.5 and ISO/SAE 21434 §5.4.2 — not negotiated after the fact.