The present invention relates to a vulnerability evaluation apparatus, and a vulnerability evaluation system and a method, and more particularly, to a vulnerability evaluation apparatus, and a vulnerability evaluation system and a method that can be used in new product development.
In recent years, technologies for acquiring various kinds of information by communicating with external information communication devices and realizing safe driving support and automatic driving of a vehicle have started spreading for in-vehicle communication systems each including a plurality of electronic control units (ECUs). In such an in-vehicle communication system, the risk of receiving a cyber attack from the outside is increasing, and there is a demand for improvement in security performance. Particularly, unusually heavy burdens are imposed on automobiles not only in passenger protection but also in safety duty in their surrounding environment. Further, the display screen for the control functions and automatic driving support for an automobile is an important component for safety and is of a high asset value. That is, such a display screen is an important unit, and therefore, needs to be carefully defended against attack.
Meanwhile, the software forming such devices may have defects called software vulnerability (hereinafter also referred to as “security holes” or “security vulnerability”, or simply as “vulnerability”), such as failures in a computer program or problems in the specifications. The device manufacturer should continue to monitor vulnerability and collect information about vulnerability after product shipment, to maintain vulnerability security performance. That is, the device manufacturer determines a degree of risk at which a product of the manufacturer and the devices that operate in conjunction with the product are harmed due to vulnerability, and provides countermeasures in a case where the degree of risk is too high to be ignored.
With such a background, JP 2008-257577 A is known as a technique for evaluating the vulnerability of a system on the basis of the vulnerability of a target system. JP 2008-257577 A discloses a security diagnostic system capable of detecting an intrusion route based on the vulnerabilities of a product and a target system, and performing security diagnosis on the basis of the detected intrusion route.
The security diagnostic system of JP 2008-257577 A is disclosed as a technology to be used in general-purpose security diagnosis, evaluation, and countermeasures for computer devices or computer application devices in general. Particularly, there is a disclosed function that combines points and searches an intrusion route to a target system on the basis of information about the points with vulnerability in the target system.
In the security diagnostic system disclosed in JP 2008-257577 A, however, it is not possible to determine priority order in coping by taking into account the importance of the defense target. Moreover, in new product development accompanied by frequent specification change, the quality control to cope with a new security hole cannot be performed even if such a security hole newly appears.
The present invention has been made in view of such problems, and aims to provide a vulnerability evaluation apparatus that is capable of facilitating quality control by taking into account the importance of defense targets, even when a new security hole appears in new product development accompanied by frequent specification change.
An invention according to a first aspect is a vulnerability evaluation apparatus formed with a vulnerability evaluation computer including at least a storage unit and a processing unit to evaluate threat levels of respective security holes in a plurality of security holes of a product and determine priority order among security countermeasures, a computer being applied to the product. The storage unit includes: a configuration information holding unit that stores information about components of the product; a component-vulnerability correspondence holding unit that stores vulnerability information clearly indicating the security holes for the respective components; an asset information holding unit that stores product IDs of respective products associated with asset values of the respective components of the products; a security countermeasure classification holding unit that stores a defense target component associated with a coefficient numerically indicating a countermeasure effect for each security countermeasure; an attack map holding unit that stores component names forming an attack path, and an attack map that associates the component names with the corresponding vulnerability information; and a program to be executed by the processing unit. The processing unit executes the program, to form: an information collection processing unit that acquires information about the product and stores the information into the storage unit; an attack map creation processing unit that creates the attack map for each product; and a vulnerability evaluation processing unit that calculates the threat levels of the security holes of the respective components on a basis of the asset values, and determines priority order among the security countermeasures to be taken.
The invention according to the first aspect can provide a vulnerability evaluation apparatus that evaluates the threat levels of the security holes of the respective components on the basis of the number of products and the asset values of the respective components, and determines priority order among the security countermeasures. Thus, even if a new security hole appears in new product development accompanied by frequent specification change, it is possible to facilitate the quality control to cope with the new security hole.
An invention according to a second aspect is a vulnerability evaluation method for performing a process of evaluating threat levels of security holes in a plurality of security holes in a product and calculating priority order among security countermeasures in a vulnerability evaluation computer that includes at least a storage unit, a processing unit, and a program to be executed by the processing unit, a computer being applied to the product. The storage unit includes: the program; a configuration information holding unit that stores information about components of the product; a component-vulnerability correspondence holding unit that stores vulnerability information clearly indicating the security holes for the respective components; an asset information holding unit that stores product IDs of respective products associated with asset values of the respective components of the product; a security countermeasure classification holding unit that stores a defense target component associated with a coefficient numerically indicating a countermeasure effect for each security countermeasure; and an attack map holding unit that stores component names forming an attack path, and an attack map that associates the component names with the corresponding vulnerability information. The process to be performed by the vulnerability evaluation processing unit formed by the processing unit executing the program in determining the priority order using information stored in the storage unit includes: acquiring one piece of the vulnerability information from the component-vulnerability correspondence holding unit; selecting one of the attack maps from the attack map holding unit; acquiring an asset value corresponding to an asset of the acquired attack map;
acquiring a degree of difficulty of attack on the security holes from the component-vulnerability correspondence holding unit; multiplying the asset value by the degree of difficulty of attack; and setting an evaluation value on the basis of a calculation result of the multiplication.
The invention according to the second aspect can achieve the same functions and effects as those of the invention according to the first aspect.
According to the present invention, even when a new hole appears in new product development accompanied by frequent specification change, the quality control for coping with the new security hole is easy.
First, a vulnerability evaluation apparatus (the present apparatus) according to a first embodiment will be described below in detail, with reference to
The storage unit 40 includes: a configuration information holding unit 41 that holds a configuration information table 5 described later with reference to
The in-vehicle device information collection processing unit 21 acquires in-vehicle device information from the administrator terminal 2 via the input/output unit 27 or the communication unit 28, and also stores various information acquired in such a manner into the configuration information holding unit 41, the asset information holding unit 43, the security countermeasure classification holding unit 44, and the product quantity management table holding unit 45.
The attack map creation processing unit 22 performs a process of creating an attack map for each in-vehicle device product and each product configuration variation, using the information stored in the configuration information table 5 (
The vulnerability evaluation processing unit 23 performs a process of evaluating priority levels in coping with vulnerability, using the information stored in the configuration information table 5 (
This processing unit 23 compares the results of calculation of the magnitudes of influence on the basis of the asset values and the numbers of operating units for the respective components, to perform vulnerability evaluation to evaluate the security vulnerability of each component, and determine priority order. The process of evaluating priority levels in coping with vulnerability in this processing unit 23 will be described later with reference to
To output the processing results obtained by the vulnerability evaluation processing unit 23 to the administrator terminal 2 via the input/output unit 27 or the communication unit 28, the evaluation result output processing unit 24 performs a process of adjusting the format of the evaluation results. In a configuration in which the terminal result notification processing unit 25 is connected to an in-vehicle device as described later in the second embodiment, the terminal result notification processing unit 25 performs a process of transmitting the vulnerability evaluation results, the vulnerability coping results, and/or information such as an attention-seeking warning to the administrator or the like, to the in-vehicle device to be evaluated.
The vulnerability acquisition processing unit 26 acquires information related to vulnerability from the administrator terminal 2 via the input/output unit 27 or the communication unit 28. As will be described later in detail with reference to
The components and the information related to vulnerability that are associated as above are stored into the component-vulnerability correspondence holding unit 42. The information related to vulnerability is information related to information security flaws of software, and is also called security holes. Vulnerability information is distributed by a server of an organization that discloses security knowledge, for example. Here, the distribution source of the vulnerability information does not matter.
The information related to vulnerability may be acquired by the administrator selecting information related to the product from the above distribution server and be input to the present apparatus 1 via the input/output unit 27 or the communication unit 28, or may be acquired automatically by the vulnerability acquisition processing unit 26 from an external distribution server via the communication unit 28.
The CPU 32 controls the entire computer, as well as performing various processes and calculations. The memory 33 and the external storage device 34 such as a hard disk or the like store various kinds of programs and data in a readable form. The communication device 35 communicates with another computer via the network 3. The input device 36 is formed with a keyboard, buttons, switches, and the like, and inputs the administrator's intention to the computer. The output device 37 is formed with a monitor, a printer, and the like, and displays processing results from the computer so that the administrator can be notified of the processing results. The reader device 38 reads information from a portable storage medium 39 such as a CD-ROM or a USB memory. The internal communication line 31 is a path for transmitting and receiving data between the respective units in the computer.
The CPU 32 loads various programs from the external storage device 34 into the memory 33, and executes predetermined programs, to perform the above mentioned respective processes. That is, the processing unit 20 is formed by the CPU 32 performing processing, and the storage unit 40 is formed by the CPU 32 using the memory 33 or the external storage device 34. Further, the communication unit 28 is formed by the CPU 32 using the communication device 35, and the input/output unit 27 is realized by the CPU 32 using the input device 36, the output device 37, or the reader device 38.
The predetermined programs for forming the processing units 21 through 26 grouped under the processing unit 20 shown in
First, in step S1, the administrator terminal 2 inputs various pieces of information about an in-vehicle device to be evaluated to the present apparatus 1. The information about the in-vehicle device is processed by the in-vehicle device information collection processing unit 21 of the present apparatus 1, and is stored into the respective suitable holding units 41 through 46. Next, in step S2, the administrator terminal 2 inputs information related to vulnerability to the present apparatus 1.
The information related to vulnerability is processed by the vulnerability acquisition processing unit 26, and is stored into the component-vulnerability correspondence holding unit 42. In step S2 described above, the administrator may acquire the information related to vulnerability by selecting information related to the products from the vulnerability information distribution server and input the information related to vulnerability to the present apparatus 1, or the vulnerability acquisition processing unit 26 may automatically acquire the information related to vulnerability from an external distribution server via the communication unit 28.
In step S3, the in-vehicle device information collection processing unit 21 of the present apparatus 1 acquires the product ID from the in-vehicle device information input in step S1, and checks whether there is the same product ID in a product ID column 51 in the configuration information table 5 (
If the combination of components differs (No in S3), on the other hand, the in-vehicle device information collection processing unit 21 generates a new configuration variation ID, and stores the hierarchy of the components of the in-vehicle device and the components into the configuration information table 5 (
In step S4, the attack map creation processing unit 22 of the present apparatus 1 creates an attack map for the corresponding configuration variation ID, using the information stored in the configuration information table 5 (
Next, a sequence (S5 to S13) for evaluating the priority level in coping with vulnerability is described. In step S5, the administrator uses the administrator terminal 2, to input vulnerability information newly acquired or inquired to the present apparatus 1. At this stage, a product ID may be input from the administrator terminal 2, and the product to be evaluated may be limited before vulnerability evaluation is conducted. There is no limitation on triggers for conducting vulnerability evaluation. Alternatively, in step S5, an evaluation execution button may be pressed without any input of vulnerability information. If a vulnerability evaluation process is performed without any input of vulnerability information in this manner, step S5 is skipped, and the process is performed from step S6.
In step S6, the vulnerability acquisition processing unit 26 of the present apparatus 1 acquires the component-vulnerability correspondence table 6 (
In step S8, the attack map creation processing unit 22 of the present apparatus 1 re-creates all the attack maps of the already stored product IDs and the configuration variation IDs, including the newly stored vulnerability information. When such re-creation is performed, the process of creating each attack map is the same as that in step S4, and will be described later with reference to
In step S11, the vulnerability evaluation processing unit 23 of the present apparatus 1 evaluates the priority level in coping with vulnerability, using the information stored in the configuration information table 5 (
In step S12, the evaluation result output processing unit 24 of the present apparatus 1 processes the results of the vulnerability evaluation process in step S11, and transmits the results to the administrator terminal 2. Lastly, a notification sequence is a sequence in which the administrator terminal 2 notifies the present apparatus 1 of the vulnerability coping result and a coping plan in step S13. Note that this notification sequence (S13) may be skipped.
The product ID column 51 stores information for specifying the types of products. The configuration variation ID column 52 stores information for identifying combinations of components from the same product. The component hierarchy column 53 stores information indicating the physical or network or conceptual distances to the assets of the components. The component column 54 stores information indicating the respective components.
The information stored in the component hierarchy column and indicating the distances may be shown as configuration layers, network configurations, or cyber kill chains, for example. As long as the information can represent the distances from the components to the assets, the method of representation is not limited to any particular method.
The information stored in the component column 54 may be specific product names, software names, function names, interface names, technical names, and the like of the components. As for the product names and the software names, the vulnerability information differs in relation depending on the version of software, and therefore, information such as specific version names should be stored in this column.
As shown in
The component column 61 is created with reference to the component column 54 in the configuration information table 5 (
The vulnerability information column 62 may not store CVE numbers, but may store the unique names of vulnerabilities or the like, for example. A plurality of vulnerabilities may be associated with one component. In that case, a plurality of rows of vulnerability information is stored for one component.
The attack difficulty level column 63 can use CVSS values defined by the common vulnerability scoring system (CVSS) as vulnerability risk values, for example. Instead of CVSS values, it is possible to use values that are set by the administrator on the basis of a certain index. The index may be set on the basis of the CWE identifier, the degree of social impact of the product, the security policy, or the like.
The objective of the present invention is prioritization in consideration of the importance of the object to be protected. To facilitate quality control on security holes appearing in new products, for example, the vulnerability risk values are numerically set in the range of 1 to 10 in achieving the objective. As a result, it is possible to obtain a vulnerability evaluation apparatus, and a vulnerability evaluation system and a method that are user-friendly.
Further, in a case where an index of attack difficulty levels is set independently of an index already established to have objectivity, a process of assigning influence levels to each piece of the vulnerability information stored in the column 62. The smaller the numerical value of a risk value set by any rule or regulation, the higher the security. The greater the numerical value, the more vulnerable to attack. This indicates the seriousness of the problem. According to the example shown in
The information indicating assets among the components of an in-vehicle device stored in the asset column 72 is functional and data information that is the specifications of the product. In other words, the functions of a product are both components and assets. However, the asset information table 7 (
The information indicating the values of the assets stored in the asset value column 73 is set by the administrator ranking the values of the assets in advance. For example, the values of assets are ranked in accordance with the effects of the assets at a time of attack on the assets, such as functions related directly to automobile control and personal information with which individuals can be identified. In the asset value column 73 in
Specifically, the classification column 83 stores information that classifies the types of security countermeasures into the four categories described below. The four classification categories shown in this example are defense, detection, coping, and recovery, but the classification categories are not limited to these four categories. The coefficient column 84 is set beforehand by the administrator in accordance with the classification. The degrees of mitigation of the security countermeasures against attack on the assets due to vulnerability are determined in advance.
In the example shown in
In step S22, the attack map creation processing unit 22 acquires one piece of asset information about the product ID from the asset information table 7 (
In step S24, the attack map creation processing unit 22 acquires one of the components stored in the component name column 113 arranged in step S23. In step S25, the attack map creation processing unit 22 checks whether the information about the component acquired in step S24 is present in the defense target component column 82 in the security countermeasure classification table 8 (
If the corresponding component is present in the defense target component column 82 (Yes in S25), the process moves on to step S26. If the corresponding component is not present (No in S25), the process moves on to step S27. In step S26, the attack map creation processing unit 22 acquires the security countermeasure corresponding to the component in the security countermeasure classification table 8 (
In step S27, the attack map creation processing unit 22 checks whether information about the component acquired in step S24 is present in the component column 61 in the component-vulnerability correspondence table 6 (
In step S28, the attack map creation processing unit 22 acquires the vulnerability information corresponding to the component from the vulnerability information column 62 in the component-vulnerability correspondence table 6 (
In step S29, a check is made to determine whether the processes in steps S25 through S28 have been performed. Specifically, a check is made to determine whether the attack map creation processing unit 22 has acquired in step S24 all the components in the attack path created in step S23, and completed the allocation of all the vulnerability information corresponding to the components in the attack path. If the result of step S29 is Yes, or if the processes in steps S25 through S28 have been completed, the creation of the attack map for the asset (the asset acquired in S22) corresponding to the product ID has been finished, and the process moves on to step S30.
If the result of step S29 is No, or if the processes in steps S25 through S28 have not been completed, on the other hand, the process returns to step S24. A component that has not been subjected to the processes in steps S25 through S28 is acquired from the components acquired in step S24, and the processes in steps S25 through S28 are completed. Note that any vulnerability is not allocated to some security countermeasures among the components subjected to the processes in steps S25 through S28. In that case, there is no problem, as long as steps S25 through S28 have been carried out.
In step S30, the attack map creation processing unit 22 checks whether attack maps have been created for all the asset information (the column 72 in
In step S31, product IDs and configuration variation IDs are assigned to the created attack map group, and are stored into the attack map holding unit 46 (
The process in which the attack map creation processing unit 22 (
As for the number of products and the number of configuration variations, it is not necessary to strictly check and count the actual number of products that are operating at the transfer destinations. In other words, instead of the actual number, the number of products that can be counted with relative ease is registered by the administrator. The number that can be counted with relative ease may be the number of shipped products, the number of products to be shipped, or the number of products to be operated in future, for example.
As shown in
Of these pieces of information, the product IDs diverted from the column 101 are information for identifying the types of products. Meanwhile, the configuration variation IDs diverted from the other column 103 are information for identifying the combinations of components from the same products.
The asset column 112 diverts and stores the asset information held in the asset column 72 shown in
The components stored in the component name column 113 are the components forming the attack paths to the assets. At least one of the following three pieces of information to be described as first through third information is allocated to each of the components forming the attack paths to the assets. The first information is information about the components held in the column 54 in the configuration information table 5 (
The second information is information about the assets held in the column 72 in the asset information table 7 (
The vulnerability information column 114 stores the vulnerability information associated with the component names shown in the respective corresponding rows in the left column in
In a case where there is no vulnerability information 62 associated with the components 61 in the component-vulnerability correspondence table 6, the vulnerability information column 114 in the attack map table 11 (
The attack maps are created as a result of the attack map creation process (steps S21 through S31) described above with reference to
In step S42, the vulnerability evaluation processing unit 23 checks whether the assets to be attacked and the attack paths leading to the assets include a component having the corresponding vulnerability. In other words, in step S42, a check is made to determine whether the attack map holding unit stores an attack map table 11 in which the corresponding vulnerability is written.
If there are no components having the corresponding vulnerability in any attack path (No in S42), the process moves on to step S43. If there is a component having the corresponding vulnerability (Yes in S42), on the other hand, the process moves on to step S44. In step S44, the vulnerability evaluation processing unit 23 acquires the asset value column 73 from the asset information table 7 (
In step S45, the vulnerability evaluation processing unit 23 refers to the asset information table 7, and acquires the value in the asset value column 73 corresponding to the asset of the acquired attack map. In step S46, the vulnerability evaluation processing unit 23 refers to the component-vulnerability correspondence table 6 (
In step S47, the vulnerability evaluation processing unit 23 multiplies the asset value by the value of the attack difficulty level. That is, the evaluation calculation result for each vulnerability in step S46 is multiplied by the asset value of the asset to be attacked. In other words, the value of the asset to be attacked is multiplied by the attack difficulty level of the vulnerability of the component in the attack path in the attack map. The process in step S47 is performed for all the pieces of vulnerability information associated with component in the attack map.
In step S48, the vulnerability evaluation processing unit 23 checks whether one or more security countermeasures are written in a lower row than the row of the component with which the corresponding vulnerability is associated in the attack map acquired in step S44. If there is at least one security countermeasure written in a lower row (Yes in S48), the process moves on to step S49. If no security countermeasures are written in any lower row (No in step S48), on the other hand, the process skips step S49, and moves on to step S50.
In step S49, the vulnerability evaluation processing unit 23 creates a list of vulnerability information written in the attack map and the evaluation calculation results in step S47 for the vulnerability. In other words, in step S49, the vulnerability evaluation processing unit 23 refers to the coefficient information (the column 84) of the corresponding security countermeasure from the security countermeasure classification table 8 (
An example in which multiplication of coefficients such as an asset value, an attack difficulty level, and a coefficient of an attack mitigation degree is performed in steps S47 and S49 has been described as a simple example of the vulnerability evaluation calculation method. However, the vulnerability evaluation calculation method is not limited to any particular calculation method, as long as the attack mitigation degree of the security countermeasure against attack (a security effect) and the level of influence of vulnerability on the asset are taken into consideration in the calculation method.
In step S50, the evaluation calculation result obtained in step S47 or S49 is set as the evaluation value. In a case where a plurality of calculation results is obtained for the same vulnerability, the greater value is used as the evaluation value. At this stage, the vulnerability evaluation processing unit 23 sets the list of vulnerability information and calculation result numerical values as the evaluation result created in step S49. The numerical values of the evaluation calculation results are sorted in descending order as the candidates for a priority level in coping with vulnerability. However, it is only an example that candidates for a priority level in coping is the numerical value of an evaluation calculation result. As described later with reference to
In step S51, the vulnerability evaluation processing unit 23 checks whether calculation has been performed for all the attack maps in which the corresponding vulnerability is written. In other words, a check is made to determine whether there is another configuration variation ID left for the evaluation target product ID. That is, in step S51, a check is made to determine whether all the attack maps have been selected, and evaluation calculation for each vulnerability has been performed. If evaluation calculation has been performed for all the attack maps (Yes in step S51), the process moves on to step S52.
If evaluation calculation has not been performed for at least one of the attack maps (No in step S51), the process returns to step S44. In other words, a check is made to determine whether the evaluation process (S42 through S50) has been performed for the attack maps of all the configuration variation IDs stored in the attack map table 11. If the evaluation process has not been completed (No in step S51), the process returns to step S44, and the evaluation process is also performed for another configuration variation ID. At this stage, the vulnerability evaluation processing unit 23 compares the results of calculation of the magnitudes of influence on the basis of the asset values and the numbers of operating units for the respective components, to perform vulnerability evaluation to evaluate the security vulnerability of each component, and determine priority order.
Lastly, in step S52, a check is made to determine whether calculation has been completed for all of the vulnerability information written in the component-vulnerability correspondence table 6. If the calculation has been completed (Yes in step S52), the vulnerability evaluation process is ended. If the calculation has not been completed (No in step S52), on the other hand, the process returns to step S41, and steps S41 through S51 are repeated.
The evaluation result output screen 13 includes a product display switching tab 14, a table 15 showing vulnerability information and its evaluation values, priority index switching buttons 16, an attack map output button 17, and a report output button 18 with which a result of vulnerability information in selected priority order can be output. The product display switching tab 14 can switch and display the priority order for each product ID or each configuration variation ID. Alternatively, the vulnerabilities of all the products, or the vulnerabilities of all the configuration variations may be ranked and displayed.
The priority index switching buttons 16 can display and switch the vulnerability information in ascending or descending order for the respective indices for priority order, such as the holding ratio of the vulnerability among the products from the evaluation value or the quantity information, or the total value obtained by combining the evaluation value and the holding ratio. The final priority order in coping with vulnerability is to be determined by the administrator taking into a plurality of indices into account, and the administrator can select on which index the priority level list to be output is based on.
As described so far, according to the first embodiment, it is possible to determine the priority order in coping with vulnerability by taking into account influence on high-value assets or components that are important in terms of security, and output the results of the determination as the grounds for the determination.
In the first embodiment, the administrator inputs in-vehicle device configuration information and the number of active in-vehicle devices from the administrator terminal. However, the present apparatus and in-vehicle devices may be connected by a network, and those pieces of information may be collected from the in-vehicle devices via the network.
Referring now to
The storage unit 95 includes a terminal configuration information holding unit 96 that stores configuration information about the in-vehicle device. However, in consideration of a risk that communication content is intercepted by an attacker or the in-vehicle device is analyzed for information acquisition, the configuration information held in the in-vehicle device may be part of the information stored in the configuration information table 5 (
The configuration information transmission processing unit 91 regularly transmits the terminal configuration information about the in-vehicle device 4 to a vulnerability processing device via the network 3. The configuration information update processing unit 92 performs a process of updating the terminal configuration information holding unit 96, when updating the version of various kinds of software implemented in the in-vehicle device 4.
The administrator notification processing unit 93 performs a process of displaying a countermeasure result notification transmitted from the present apparatus 1 to the administrator. The administrator may not be the driver of an automobile but may be a maintenance personnel who performs maintenance. Therefore, the administrator notification process may include not only displaying all the contents to the driver but also information processing such as adjustment of information so that the administrator can easily understand the contents. The display timing may also be displayed with a specific command.
The software update processing unit 94 performs a countermeasure software update process as a countermeasure result notification transmitted from the present apparatus 1. For example, the software update processing unit 94 performs a process of downloading and installing a particular patch, a process of executing an OTA update function, and the like.
The present apparatus 1 updates the product quantity management table 10 (
The sequence for evaluating priority levels in coping with vulnerability, which is steps S67 through S72, is substantially the same as steps S5 through S9 of the first embodiment. In the notification sequence, the present apparatus 1 transmits all or part of a countermeasure result notification received from the administrator terminal 2 to the in-vehicle device 4 via the network 3.
The second embodiment of the present invention has been described so far. According to this embodiment, information is acquired from an in-vehicle device via a network. Thus, it is possible to determine priority order in coping with vulnerability, taking into consideration the actual condition of the software update of the in-vehicle device and the number of active in-vehicle devices.
It should be noted that the first and second embodiments do not limit the present invention to the configurations thereof. The first and second embodiments have been described on the premise of evaluation of a single in-vehicle device. However, it is also possible to evaluate priority levels in coping with vulnerability in various kinds of devices constituting an automobile system, by holding the components in the configuration information table 5 (
In the description below, the relevant aspects of the present invention will be described in conjunction with the claimed inventions.
[1] If there is a plurality of security holes in a product to which a computer is applied, the present apparatus 1 evaluates the threat levels of the respective security holes, and determines priority order among security countermeasures (the left column in
The storage unit 40 includes a program that can be executed by the processing unit 20, the configuration information holding unit 41 (
The configuration information holding unit 41 (
The attack map holding unit 46 stores the components names forming an attack path, and the attack maps 11-1 and -2 associated with the vulnerability information corresponding to the component names.
The processing unit 20 executes a program, to form the information collection processing unit 21, the attack map creation processing unit 22, and the vulnerability evaluation processing unit 23.
The information collection processing unit 21 acquires information about the product, and stores the information in the storage unit 40. The attack map creation processing unit 22 creates the attack maps 11-1 and -2 for each product or each product configuration variation. The vulnerability evaluation processing unit 23 calculates the threat levels of the security holes of the respective components on the basis of asset values, and determines priority order (
The present apparatus 1 evaluates the threat levels of the security holes of the respective components on the basis of the number of products and the asset values of the respective components, and determines priority order among the security countermeasures. Thus, even if a new security hole appears in new product development accompanied by frequent specification change, it is possible to facilitate the quality control to cope with the new security hole.
[2] In the present apparatus 1, the vulnerability evaluation computer further includes the input/output unit 27 or the communication unit 28. Meanwhile, the storage unit 40 (
The vulnerability evaluation processing unit 23 calculates threat levels, using the component names, the vulnerability information, information indicating the presence/absence of the vulnerability information column 62 or the vulnerability information, information about the components to be defended, and coefficients numerically indicating the levels of security effects.
The component names identify the components that form an attack path. The vulnerability information identifies security holes. The vulnerability information is associated with the components identified by the component names. The components to be defended are determined for the respective security countermeasures. The coefficients are determined by quantifying the levels of effectiveness for the respective security countermeasures.
In the configuration information holding unit 41 (
According to the present invention, information obtained with relative ease is input from the input/output unit 27, and such information is organized in each information table in the storage unit 40 using hierarchy based on the differences in distance from the components to the assets. This further contributes to quality control.
[3] A product to be handled by the present apparatus 1 is an in-vehicle electronic device that forms part of an automobile or is mounted in an automobile. Therefore, a product to which a computer is applied is suitably adopted in the case of an in-vehicle electronic device that forms part of an automobile or is mounted in an automobile. In other words, the present apparatus 1 is capable of performing effective protection from cyber attacks, not only because the number of active products thereof is large and the components have high asset values, but also because of passenger protection required for the automobile and the safety duty in the surrounding environment.
[4] A vulnerability evaluation system is a system in which the administrator terminal 2 is connected to the present apparatus 1 in a wired or wireless manner. Being user-friendly, the present system is suitably adopted in products actually being developed as new products.
[5] The present method is a vulnerability evaluation method for performing a process of evaluating the threat levels of a plurality of security holes and calculating priority order (
The storage unit 40 is as described in the explanation of the present apparatus 1. Further, when a program is executed by the processing unit 20, the vulnerability evaluation processing unit 23 is formed. The process to be performed by the vulnerability evaluation processing unit 23 in determining priority order (
In step S41, one piece of vulnerability information is acquired from the component-vulnerability correspondence holding unit 42. In step S44, one attack map is selected from the attack map holding unit 46. In step S45, the asset value corresponding to the asset of the acquired attack map 11-1 or -2 is acquired from the asset information holding unit 43. In step S46, the attack difficulty level to the corresponding security hole is acquired from the component-vulnerability correspondence holding unit 42. In step S47, the asset value is multiplied by the attack difficulty level. An evaluation value is then set on the basis of the calculation result of the multiplication.
[6] In the present method, the procedure for determining priority order (
In steps S1 and S61, product information is input from the administrator terminal 2 to the vulnerability evaluation computer. In steps S2 and S62, information related to security holes is input from the administrator terminal 2 to the vulnerability evaluation computer. In the attack map generation steps S4 and S63, the vulnerability evaluation processing unit 23 indicates the attack path in the form of the attack map 11-1 or -2. In steps S12 and S72, in response to a request, the vulnerability evaluation result (
The first embodiment and the second embodiment may be modified as follows. In the description with reference to
Number | Date | Country | Kind |
---|---|---|---|
2018-180912 | Sep 2018 | JP | national |