A Study of The Risk Quantification Method of Cyber-Physical Systems focusing on Direct-Access Attacks to In-Vehicle Networks.

Cyber-physical systems, in which ICT systems and field devices are interconnected and interlocked, have become widespread. More threats need to be taken into consideration when designing the secu-rity of cyber-physical systems. Attackers may cause damage to the physical world by attacks which exploit vulnerabilities of ICT systems, while other attackers may use the weaknesses of physical boundaries to exploit ICT systems. Therefore, it is necessary to assess such risks of attacks properly. A direct-access attack in the field of automobiles is the latter type of at-tacks where an attacker connects unauthorized equipment to an in-vehicle network directly and attempts unauthorized access. But it has been consid-ered as less realistic and evaluated less risky than other threats via network entry points by conventional risk assessment methods. We focused on re-assessing threats via direct access attacks in proposing effective security design procedures for cyber-physical systems based on a guideline for au-tomobiles, JASO TP15002. In this paper, we focus on "fitting to a specific area or viewpoint" of such a cyber-physical system, and devise a new risk quantification method, RSS-CWSS CPS based on CWSS, which is also a vulnerability evaluation standard for ICT systems. It can quantify the char-acteristics of the physical boundaries in cyber-physical systems.