Enabling Efficient Common Criteria Security Evaluation for Connected Vehicles

Abstract

Cyber-security assurance evaluation seeks to gain evidence that the relevant requirements of an IT system are met. Towards that end, carefully-designed evaluation processes of the considered systems are needed. The only so-far validated approach, the Common Criteria (CC) standard, relies on exhaustive evaluation tasks to provide (up to) the highest possible assurance at the expense of increased costs. When the evaluation involves the connected vehicles paradigm which integrates a mosaic of third-party modules and interfaces, applying CC becomes problematic; the cost in resources and time further increases while relevant automated tools or document templates, are scarce.This paper introduces the AFT (Assurance Framework Toolkit) which is a platform-independent online software toolkit that enables efficient CC-based cyber-security evaluations on products of the automotive cyber-physical ecosystem. A set of relevant CC-specific security assurance needs are explained and the way that the AFT software-design and functionality covers them, is presented. Subsequently, the development of the toolkit (with publicly available source-code) as well as its capability to meet the evaluation of automotive needs, are detailed. Finally, an empirical study estimates the expected AFT gains against typical CC unassisted evaluations. The proposed toolkit (along with its extendibility feature) practically tackles the cost-limitations of standardized security evaluations filling an important technology gap towards safer connected driving.