Threat Analysis and Risk Assessment for Connected Vehicles: A Survey

With the rapid development of connected vehicles, people can get a better driving experience. However, the interconnection with the external networkmay bring growing accidents caused by cybersecurity vulnerabilities. As a result, automakers are payingmore attention to cybersecurity and spending more cost on developing cybersecurity defense mechanisms. ,reat analysis and risk assessment (TARA) is an efficient method to ensure the defense effect and greatly save costs in the early stage of vehicle development. It analyzes the threat of vehicle systems and determines the hierarchical defense and corresponding mitigations according to the potential threat to the system. ,is paper gives an overview of threat analysis and risk assessment in the automotive field. First, a novel classification of different TARA methods has been proposed. ,e existing methods have been analyzed and compared. ,en, we have found some commonly used tools applied to TARA and compared their performance. After that, a concept named attack-defense mapping is proposed to figure out how to map the already found threats and vulnerabilities of the system to the appropriate mitigations. At last, the future development directions of TARA in the automotive domain have been discussed.


Introduction
In recent years, with vehicles becoming more intelligent and connected, the automotive system is much more complex. Increasing connections with the external network of vehicles and functions realized by software can lead to a greater possibility of vehicles being used by hackers, criminals, and even terrorists. At the same time, the development of vehicle automatic driving increases the autonomy control right of the vehicle system, making vehicle system intrusion more harmful. e diversified and multidimensional attacks faced by the intelligent and connected vehicle may lead to privacy and safety threats and even national security threats.
For this reason, many countries have put forward higher standards and requirements for automotive cybersecurity, such as WP.29, which will be implemented soon. Automotive manufacturers attach great importance to strengthening the cybersecurity protection of their products. Many security solutions to provide automotive cybersecurity protection have been proposed. However, the existing security solutions provide mostly passive and single protection for a specific security problem, so the cybersecurity problem cannot be solved immediately [1]. By identifying and evaluating potential cybersecurity threats and risks, TARA approaches can help find potential threats in the early stage of development and provide theoretical support for selecting mitigation measures. However, there is a lack of a review of TARA methods and tools in the automotive field, as well as how to use appropriate mitigation measures to mitigate the corresponding threats in theory.
is study conducts a systematic review of current research that aims at TARA in the automotive field. e present study investigates the existing TARA methods in the automotive field and extracts the characteristics of the proposed methods. Common tools used in TARA are also described. In addition, this study explores the mapping relationship between threats and corresponding mitigation measures. e rest of the paper is organized in the following way: Section 2 describes the procedure undertaken for performing a systematic literature review (SLR). Section 3 presents threat analysis and risk assessment methods. In Section 4, threat analysis and risk assessment tools are analyzed and compared. A novel concept named attackdefense mapping is discussed in Section 5. In Section 6, the future directions of threat analysis and risk assessment developments are discussed before we sum up our paper with a conclusion in Section 7.

Research Question Definition.
e main objective of this paper is to present a picture of the recent research work about TARA methods in the automotive context. We have thus formulated the following research questions, and this step is the soul of the paper: RQ1. What are the threat analysis and risk assessment methods used to evaluate the cybersecurity status of the vehicle? RQ2. What tools could be applied to threat analysis and risk assessment? RQ3. How to match the threats and vulnerabilities of the system to the appropriate mitigation measures? RQ1 aims to explore what threat analysis and risk assessment methods are used in the automotive context. RQ2 aims to find out what tools could be applied to threat analysis and risk assessment. RQ3 aims to figure out how to match the threats and vulnerabilities of the system to the appropriate mitigation measures after finding out the threats and vulnerabilities.

Search Process.
e complete searching process of this literature review involves the following stepwise process.

Search Terms.
In the next step of the study, we have specified the search string used to find relevant publications in selected databases. We specify the following Boolean string to search the relevant databases: (risk OR vulnerability OR threat) AND (analysis OR assessment OR evaluate) AND (security) AND (vehicle OR automotive).

Search Procedure.
e initial step of the search involves selecting literature using the search string described above. e second step is to filter literature by inclusion or exclusion criteria. e third step is to filter literature by selecting relevant titles and keywords. e fourth step is to choose from the literature through screening abstracts. Finally, the full-text papers to be reviewed are obtained. e complete process from initial selection to full-text selection is summarized in Figure 1.

Selection Criteria.
e research scope of this paper is from January 1, 2010, to March 31, 2021. e criteria for screening related research work should be predefined to eliminate ambiguity in the screening process. erefore, the following inclusion criteria were considered: (i) Papers focus on security issues in the area of automotive (ii) Papers are peer-reviewed e following criteria state when a paper was excluded: (i) Papers are not written in English (ii) Papers are not accessible in full text (iii) Papers are duplicates of other studies 2.4. Screening Results. Initial search has shown that there is a considerable number of research papers about the stated research questions. e search procedure was performed with an initial total number of papers being 29527. Out of the total 29527 papers, 392 papers were chosen after considering the inclusion criteria (IC) and exclusion criteria (EC). 139 papers are then selected after going through the titles and keywords. In the remaining 139 papers, snowballing was done to cover accidentally missed out papers, and then the number reached 170. Out of 170 papers, 111 were included after studying the abstracts. In the end, 38 papers were selected for the study of full text and were deemed to have the potential for answering the given research questions. A detailed description of the figures of each phase is mentioned in Table 1.

Threat Analysis and Risk Assessment Methods
In the development process of intelligent and connected vehicles, TARA is mainly in the relatively early development stage. rough the threat modeling and risk assessment of the intelligent and connected vehicle cyber-physical system, the risk value of potential threats can be reduced to an acceptable level at a low cost. en, the cybersecurity level of vehicles can be improved. Figure 2 shows the process of threat analysis and risk assessment. TARA is mainly divided into three steps: (i) reat analysis: able to identify some potential threats in automotive systems (ii) Risk assessment: able to analyze and classify the identified threats and evaluate the corresponding risks (iii) Risk analysis: sorting the threats according to the risk level and determining whether the risk associated with a specific threat is at an acceptable level or whether measures to reduce the risk are needed [3] In this section, TARA methods are divided into two categories, namely, formula-based methods and modelbased methods. Formula-based methods are methods for threat analysis and risk assessment of the system, mainly through tables, texts, or formulas. Formula-based methods are divided into three types according to their different concerns: asset-based methods, vulnerability-based methods, and attacker-based methods. Model-based methods are a type of threat analysis method that uses a variety of different models, modeling and analyzing the threats and risks of the system through data flow diagrams, graphs, and tree models. Model-based methods are divided into two types according to their different concerns: graphbased methods and tree-based methods. Model-based methods perform threat analysis on the system through different models, so they are more objective. e accuracy of the quantitative analysis results and the reproducibility of the analysis results are higher. However, this type of methods is also more complex and therefore more difficult to understand and use. Figure 3 presents a taxonomy of TARA methods which will be discussed in the following sections.

Formula-Based Methods
e asset-based approach is the most common type of TARA method in the automotive domain. is series of methods first identifies the final target asset under attack and then exhausts the attack paths and attack methods that can pose a threat to this target asset through the use of relevant experience and minds of security experts so that advance prevention can be carried out. is method is also known as a "top-down" method.
CERT/CC (Computer Emergency Response Team/Coordination Center) released OCTAVE in 1999. e OC-TAVE method has become one of the mainstream TARA methods in the world. e OCTAVE methodology is an approach that divides the assessment into three phases in which management issues and technical issues are examined and discussed so that the organization's staff can take full ownership of the organization's information security needs.
e OCTAVE method is characterized as an assessment approach that combines assets, threats, and vulnerabilities. It allows managers to use the results of the assessment to determine the OCTAVE method, which is characterized by a combination of asset, threat, and vulnerability assessments. In addition, managers can use the results of the assessment to prioritize risks to be addressed. It also incorporates how the computing infrastructure is used and its role in achieving the organization's business objectives. OCTAVE is integrated with the interrelated technical aspects of computing infrastructure configuration. It also allows for a flexible, customizable, and repeatable approach that can be customized according to the needs of different organizations. e EVITA method is an asset-based threat analysis method. is method provides a cost-effective security architecture that can provide comprehensive security in different development phases such as design, verification, and prototype for vehicle networks. e EVITA method performs an attack assessment for each asset in the system and then assesses the level of risk that the attack may cause. Risk is a function of the attack likelihood and the severity of the harm caused by the attack. Based on these, the threats are risk-rated, and the threat priority is determined [4]. e EVITA risk assessment method can be applied to assess potential threats. e identified potential threats can be ranked according to the risk level to further focus the analysis on the highest risk threats. en, the network  Security and Communication Networks security goals can be determined for the highest risk threats. However, the EVITA method only provides an evaluation method and does not provide a complete evaluation process, which will bring trouble to users. HEAVENS method makes up for this defect. Figure 4 shows the workflow of HEAVENS. e combination of security objectives and level of impact during threat analysis helps to assess the potential business impact of a threat on relevant stakeholders. HEAVENS is, therefore, a very suitable assessment method for evaluating the information security risks of automotive electronic and electrical systems. At the same time, the HEAVENS method provides a detailed process of threat analysis and risk assessment, which greatly reduces the difficulty of use and increases the feasibility of the method, which is also a prerequisite for its widespread use. e BRA (Binary Risk Analysis) assesses the assets to be protected in the system by implementing a process. e BRA method can be used for quick risk conversations to discuss specific risks in just a few minutes. Nevertheless, the resulting risks are only classified as high, medium, or low. Furthermore, a conservative analysis trend leads to threat classification solely of high risks. Additionally, no structured estimation of threat scenarios is given, and the resulting threat classification is too rudimentary for concept development phases. SHIELD is a multimetric approach to evaluate the system's level of security, privacy, and dependability. e main goal of this method is to evaluate multiple system configurations and select those that meet or achieve established requirements [5,6]. In the NHTSA approach, all relevant onboard components and systems have been considered, and the data flow and the trust boundary between the components can be visually observed [7]. e SGM (Security Guide-word Method) makes it easy for non-security engineers to identify information assets and protection objectives. We derived ten guide words, namely, disclosure, disconnection, delay, deletion, stopping, denial, trigger, insertion, reset, and manipulation [8]. e policybased security model can be customized according to the security requirements of the use case, and a flexible security model that is manageable and adaptable during the device life cycle is provided. By using policies to enforce security requirements, OEMs do not need to rely on the security assurances of third-party vendors. Implementation strategies can ensure that the equipment operates as expected by the OEM. If the security requirements of the device change after production; for example, a new vulnerability is discovered, the OEM can issue a policy definition update [9]. e threat analysis methods above focus on the qualitative analysis of threat levels, while other asset-based methods can quantitatively analyze risks. TVRA can define the risk level of a system based on the likelihood of an attack occurring and the impact of an attack on the system. TVRA can output a quantitative measure of system asset risk and a detailed set of security measures to minimize system risk [10]. e US 2 (Unified Safety and Security) uses a simple quantitative scheme to evaluate safety hazards and safety threats in parallel and effectively derive safety and security requirements [11].
In addition, there is a special type of asset-based approach, which uses software as the main protection target asset of the system. In this article, it is called the software   logic-based approach. Macher et al. [12] proposed a method called SAHARA, which incorporates the STRIDE threat model. SAHARA enables the quantification of the probability of the occurrence and impacts of security issues on safety goals. e basic classification is aligned with ASIL classification and is thus optimal for use in combined security and safety engineering processes. e software vulnerability analysis method checks whether the software code of known software construction should be avoided to prevent potential vulnerabilities [3]. e asset-based methods focus on various forms of assets in the system. As an automobile is essentially a cyberphysical system, the ultimate goal of cybersecurity in the automotive domain is to protect the automotive system from attack and thus to operate normally. erefore, the assetbased threat analysis and risk assessment approach is also most suitable for the automotive domain.

Vulnerability-Based Methods.
Corresponding to the asset-based methods, the vulnerability-based methods are "bottom-up" TARA methods. ey start with a vulnerability or weakness found in a system and then analyze what other larger vulnerabilities or failures the vulnerability could cause.
CVSS (Common Vulnerability Scoring System) is an industry open standard designed to help determine the urgency and importance of the required response. e main purpose of CVSS is to help establish a standard for measuring the severity of vulnerabilities so that the severity of vulnerabilities can be compared and the priority of dealing with them can be determined. CVSS scores are based on measurement results on a series of dimensions, which are called metrics. e CVSS includes three types of scores: base, temporal, and environmental metric.
FMVEA expands the security attributes based on FMEA, turning it into a safety and security coanalysis method. Its failure modes can analyze how components' quality attributes fail, and threat modes are used to analyze how security attributes fail. Recognizing threat agents can estimate the frequency of threat modes, and the probability of occurrence of threats mode is determined by the threat agents and vulnerabilities [13]. e whole process of the CHASSIS analysis method is divided into two steps to define functionality, safety, and security requirements. e first step mainly defines the functional requirements for the subsequent introduction of safety and security requirements. In the second step, the main focus is on the introduction of safety and security requirements. is step will rely on the brainstorming of relevant security experts in the field to propose some possible misuse scenarios as an important basis for the overall analysis results. For this reason, there are too many subjective factors in the analysis method of CHASSIS [14]. In [14], the two methods FMVEA and CHASSIS are compared in terms of six aspects: level of abstraction, comparability of repeated analysis, reusability of analysis artifacts, scope of analysis, suitability for a risk rating, and adaptability to changing context through an automotive FOTA (firmware over the air) application scenario. Moreover, in NIST SP 800-30 "Risk Management Guide for Information Technology Systems," a methodology is proposed to conduct a risk assessment in nine sequential steps [14]. e ANP (Analytical Network Process) matrix approach can easily and effectively consider the dependencies and conflicts between attributes for joint evaluation [15]. It helps to make wise design decisions to reduce the number of design iterations. In the matrix, the hierarchical fault propagation and threat propagation structures are defined, and the interconnection between them is considered, thereby giving a network structure. e authors in [16] use three examples to analyze the effect of the cyber kill chain method. Cyber kill chain refers to the process of analyzing network attacks to identify threats to the organization at each stage of the attack, smashing and mitigating the purpose of the attacker, and planning and implementing measures to protect the organization's system. Compared with the benchmark test, VeRA (Vehicles Risk Analysis) uses a simplified analysis process and fewer factors, thereby greatly reducing the required analysis time without affecting the accuracy of the analysis. In addition, based on VeRA, a simple and effective mathematical model is established to evaluate the risk value by considering the attack probability, severity, and human control, thereby avoiding the cumbersome process of looking up tables in the previous methods [17].  Security and Communication Networks e vulnerability-based methods can find the vulnerabilities in the system and then further analyze the hazards and risks that the vulnerability may cause to the system. If these methods are combined with a rich vulnerability database, they can perform a more comprehensive vulnerability scan of the system. is type of approach makes it possible to use a database of vulnerabilities with a large number of vulnerabilities to analyze each vulnerability that could cause failure damage to the system. It can effectively avoid damage to the security of the system caused by the vulnerability.

Attacker-Based Methods.
e attacker-based method is a type of threat analysis method that analyzes attackers. It conducts threat analysis and risk assessment of the system through the knowledge level of possible attackers, attack paths, attack motivations, and number of resources possessed. In this way, the threat can be modeled and analyzed from the root cause of the attack.
SARA is an improved security risk analysis framework for automated driving system-dedicated vehicles, including the opinions of security experts, new threat models, attack methods, asset maps, and attack tree definitions. In addition, SARA defines a new metric that considers driver or automated driving system controllability for the computation of the risk value [18]. SAM (Security Abstraction Model) closely combines safety management and model-based system engineering through an abstract description of the principles of automotive security modeling [19]. e reat Agent Risk Assessment method is performed in six steps, and its goal is to find the critical exposure of the connected car.
reat Agent Risk Assessment method is composed of TAL ( reat Agent Library), MOL (Methods and Objectives Library), and CEL (Common Exposure Library). e reat Agent Risk Assessment method can identify a list of possible attacks and rank these attacks according to the likelihood of occurrence [20]. However, the reat Agent Risk Assessment method is fairly new, and there is almost no supporting documentation except for the very little content released by Intel Security. erefore, other work must be done to successfully apply this method to the automotive industry. e Bayesian Stackelberg game methodology models the attack and defense process as a network security Stackelberg game. It provides the best hybrid strategy for the attacker and the Internet of Vehicle defense system, with the latter optimally deploying the available security resources in the transportation infrastructure to minimize the impact of attacks and improve their detection. e game belongs to the Bayesian type. According to the probability distribution determined by the strict risk assessment method, several types of data corruption attacks are considered [21]. Compared with a unified defense design that does not matter to the attacker's strategy and type, this method can reduce the impact of advanced persistent threats. is solution can be integrated into the design of the Internet of Vehicle intrusion detection system to improve its robustness.
Formula-based TARA methods are more mature and more convenient for users without too much security experience. As a result, they are more widely spread and used. Table 2 shows the classification of the formula-based TARA methods. is classification helps to identify TARA methods with common characteristics. In addition, Table 2 describes the characteristics of each method and whether the method is a coanalysis method that takes into account both security and safety aspects.

Graph-Based Methods.
e graph-based methods are connected through nodes and directional edges. Graphbased methods can express the direct mathematical quantitative relationship of each node module, which provides convenience for the quantitative threat analysis of the system. e STRIDE model consists of spoofing (S), tampering (T), repudiation (R), information disclosure (I), denial of service (D), and elevation of privilege (E). e STRIDE method has been widely used in the IT industry and has proven to be able to identify and analyze the threats in the system, which can effectively reduce the risk of the system being attacked. Due to its outstanding effect, the STRIDE method is gradually being applied in other fields. e STRIDE method is also recommended in the field of automotive information security in the SAE J3061 regulations.
In addition to the STRIDE method, UcedaVelez [23] developed a seven-stage threat analysis method called PASTA (i.e., Process for Attack Simulation and reat Analysis) in 2012 [23]. PASTA's use of data flow diagrams is at the application decomposition layer. e LINDDUN (i.e., linkability, identifiability, nonrepudiation, detectability, disclosure of data, unawareness, and noncompliance) method provides data security and privacy protection for the system through a six-step analysis [23]. It uses data flow diagram iterative model elements to analyze and detect different types of threats. e VAST (i.e., visual, agile, and simple threat) method can be extended and can be applied to large-scale threat model analysis [23]. e advantage of the Markov chain method is that the time dimension is introduced into the threat analysis of the system. is method believes that the next state of the system is completely determined by the current state, which makes the threat analysis of the system enter a dynamic space. As a dynamic method, it enriches the dimension of the entire threat analysis by expressing the attack steps and simulating the corresponding defending methods. In addition, the Markov chain also provides the possibility of quantitative analysis of threat analysis, making the results of threat analysis of the entire system more intuitive and convincing [24][25][26].
e Bayesian network method uses the graph-based model to quantitatively evaluate the possibility of threats to vehicle components. It is used to obtain the relevant security risks and to achieve the security measures of the model. e Bayesian defense graph can also conduct threat analysis  [4] EVITA is a part of a European commission-funded research project (EVITA: E-safety vehicle intrusion protected applications). In EVITA, security threats are classified from different perspectives: operations, security, privacy, and finance. EVITA is a suitable approach for concept evaluation but requires too many details for classification.

Yes
HEAVENS [3] HEAVENS is a method for threat analysis and risk assessment of automotive electronic and electrical systems. e STRIDE threat modeling approach brings additional support structuring for the estimation of threat scenarios. It has a wide range of applicability and can be applied to passenger cars and commercial vehicles.
Yes OCTAVE OCTAVE stands for operationally critical threat, asset, and vulnerability evaluation.
It is flexible, tailorable, and repeatable.
No BRA [5,6] BRA is a lightweight qualitative open license risk assessment. It is fast and convenient but is relatively rudimentary, and it is difficult for it to conduct an overall threat assessment of complex systems.
No SHIELD [5, 6] SHIELD is a method for assessing the security, privacy, and dependability of embedded systems.
It considers security, privacy, and dependability.
No TVRA [10] reat, vulnerability, and risk analysis (TVRA) identifies assets in the system and their associated threats by modeling the likelihood and impact of attacks.
It provides the possibility for a more detailed analysis of threats.
No SGM [8] is method is based on security guide words, which allow a structured identification of possible attack scenarios.
It is easy to use and can reduce the workload of analysts. Yes US 2 [11] is method uses a simple quantitative scheme to simultaneously assess security risks and security threats. e quantitative method of US 2 is less complicated and requires less analytical work.

Yes
Policy-based security modeling [9] is method is a strategy-based security modeling method, which uses a configurable strategy engine to apply new strategies to deal with serious threats. is method allows the strategy to be updated to deal with new threats; otherwise, the product may need to be redesigned to alleviate the problems under the traditional method.
No NHTSA [7] is method uses a threat matrix in the technical report of the US National Highway Traffic Safety Administration (NHTSA).
It can display the system intuitively.
No SW vulnerability analysis e method could find vulnerabilities in codes. e software code of the known software structure can be checked to prevent potential vulnerabilities, but this method is aimed at the software development level, so it is not suitable for the early development stage. No FMVEA [13] FMVEA is based on the FMEA and extends the standard approach with security-related threat modes. is method can identify the frequency and probability of threat modes.
Yes CHASSIS [14] CHASSIS is a systematic method for an information system to analyze safety and security interactively by using HAZOP guide words. CHASSIS can easier adapt to different scenarios and environments and is more suitable for dynamic system analysis, but it depends too much on expert knowledge.

Yes
ANP matrix [15] e ANP matrix method allows a combined risk assessment that considers dependencies and conflicts among attributes. is approach provides risk assessment results for different dependability attributes. It considers the relationship between failures and threats and the impact of propagation and can reduce the number of design iterations.

Yes
Cyber kill chain [16] e cyber kill chain consists of seven levels. e seven levels are reconnaissance, weaponization, delivery, utilization, installation, command and control, and target action.
is methodology is good at analyzing cyberattacks, threats, or vulnerabilities related to the automotive industry.

No
VeRA [17] Vehicle risk analysis (VeRA) is suitable for assessing the risk of attacks to autonomous vehicles and connected autonomous vehicles. VeRA is the first task that considers human capabilities and vehicle automation levels when assessing safety risks.
It can reduce the time required for the risk assessment process.

No
NIST SP 800-30 [22] is method is proposed in NIST SP 800-30 and can be used to identify, estimate, and prioritize various risks for security-critical targets.
Security-critical systems are considered.

No
Attacker-based reat Agent Risk Assessment [20] e threat modeling was carried out with the support of domain experts and the project manager responsible for the reat Agent Risk Assessment method in Intel's Security Department. It has clear organization, is easy to understand and operate, and is able to adapt according to the dynamic structure.
No SAM [19] SAM is a proposal to extend the attachment of EAST-ADL with the security modeling function, which is not covered by the current existing language specifications. e SAM method clarifies the difference between security modeling and functional safety modeling. e language specification is defined for the security abstract model of the automobile system modeling environment.

Yes
Bayesian Stackelberg game [21] is method is a resource-aware Bayesian Stackelberg game whose goal is to provide IDS with the best detection load distribution strategy for the set of RSUs monitored in the transportation network, while maximizing detection of multiple types driven by advanced persistent threats. is method only needs to solve a mixed integer linear program (MILP) and does not need to solve a set of linear programs proposed by other solutions, so it can further improve the performance.
No SARA [18] SARA is a systematic threat analysis and risk assessment framework, including improved threat models, new attack methods, asset maps, attackers' participation in the attack tree, and new driving system observation indicators. SARA provides a framework for security experts to participate in the security process.

Yes
Security and Communication Networks with corresponding mitigation measures, which can provide a reference for security defense design [27,28]. e GTS (graph transformation system) method is a formal method of transforming the system structure graph that follows certain rules. e entire graph transformation system can be abstracted as a tuple (G, R), where G represents the graph and R represents a series of transformation rules. e GTS method contains three transformation rules, which are used to describe the behavior of services, the normal behavior of the hardware components, and the attack actions. With the help of transformation rules, GTS can easily and quickly realize the conversion between the overall architecture and the module architecture, which is very beneficial for OEMs in the development of large-scale projects. At the same time, [29] also introduces the conversion method from attack graph to attack tree, which establishes a mapping relationship between the two threat analysis methods. Accordingly, the system can be analyzed from multiple dimensions.
UML is a universal graphical modeling language used to specify, design, and verify complex hardware and software systems, as well as the organization and program workflows. UML use cases and state machines can be used to represent attack scenarios. In [30], a UML-based metamodel is developed specifically for autonomous vehicles, attacks, and defense measures. UML-based analysis methods have many advantages. UML symbols have good semantics and will not cause ambiguity. e visual model based on UML makes the system structure intuitive and easy to understand. Modeling the software system with UML is not only conducive to the communication between system developers and system users but also conducive to system maintenance. However, UML language is more costly for nonprofessional engineers to learn. SysML-Sec is a method that combines a targetoriented method for obtaining requirements and a modeloriented method for threats and system architecture. Its analysis process is based on Y-chart and V-cycle models. It can cover all design and development stages [31].
Schmittner et al. [32] proposed improvements when applying STPA-Sec for security and safety coanalysis and identified several limitations of STPA-Sec. STPA-Sec will output a list of system-level scenarios that can cause losses. e threat analysis process of the STPA-Sec method can be divided into four steps. e first step is to establish basic system engineering. e second step is to build a high-level control structure model. e third step is to identify unsafe or risky control actions. e fourth step is to develop security requirements and constraint causal scenarios. In addition, given the limitations of some terms in the STPA-Sec method that cannot take into account the analysis of safety and security scenarios, the article improves the defect by aligning important terms in the safety and security context. Friedberg et al. [33] extended the STPA method, further refined and integrated the physical and information security analysis process, proposed the control layer and component layer security constraint mapping method, added information security-related attribution factors, and formed the integrated STPA-SafeSec analysis system. e STPA-SafeSec integrated physical security and information security analysis method uses a unified analysis framework and process, which can not only identify vulnerabilities and loss scenarios at the system level but also further add control constraints and focus on threats. e STPA-SafeSec method includes two core contributions. First, to determine information security constraints, analysts must extend the relatively abstract system control layer to a component layer. Second, the analysis method has expanded the attribution elements to meet the needs of information security analysis.

Tree-Based Methods.
Tree-based methods can represent the affinity between nodes and describe the hierarchical relationship between nodes. e most typical of this type of method is the attack tree model, which can express the attack faced by the system and clearly show the attack path.
Attack tree analysis is a threat analysis method that uses a tree as a structure. e general structure of the attack tree is shown in Figure 5. e top event is used to describe the attack target, and the nodes below the attack target represent all possible events that can cause the attack target to occur. e logical relationship between these events can be connected through "OR" gate and "AND" gate. Attack tree analysis can be performed in a top-down manner, that is, first determining the final attack target and then analyzing all possible attack paths according to the attack target. It can be also performed in a bottom-up manner, that is, analyzing possible attack surface and then analyzing the possible vulnerabilities based on this [34]. However, when faced with threat analysis of large systems, the traditional attack tree analysis method requires manual construction of a large number of attack combinations. It is inevitable that attack paths will be lost and the possibility of vehicle systems being attacked will increase, which is unacceptable to the OEMs. In response to this shortcoming of attack tree analysis, Salfer et al. [35] proposed a method for automatically constructing attack forests for automotive networks for software attacks. e algorithm can automatically find the optimal attack path between the attacker and the asset with the aid of the system model. Reference [35] also proves that even in the worst case, this method can complete the threat analysis and security assessment of a large system within a few minutes. is is very beneficial to OEMs, who often need to perform large-scale threat analysis on vehicle systems. e RISKEE method adds probability distributions based on attack tree analysis, thus realizing quantitative risk assessment of security and safety. In addition, the RISKEE method also uses the RISKEE propagation algorithm to calculate risk through forward propagation of frequencies and backward propagation of risk [36]. In addition, e BDMP (Boolean-logic Driven Markov Processes) method expands the ability of fault tree analysis and attack tree analysis to describe threats. Nevertheless, the BDMP method is unsuitable for the early development stage of threat analysis and risk assessment [5,6].
Compared with formula-based methods, the modelbased TARA methods can show the entire evaluated system more completely, thus providing a more intuitive perspective for the evaluation process. However, the modelbased TARA methods use different models, so users need to study the model in depth before using the TARA method to analyze threat analysis on the system. Table 3 shows the classification of the model-based TARA methods and whether these methods take both security and safety into consideration.
How to make a reasonable and objective evaluation of different TARA methods is also a problem that scholars are very concerned about. Different evaluation methods have different application scenarios and different applicable conditions. It is necessary to create a platform for the evaluation process so that different TARA methods can be fairly evaluated on this platform. Table 4 lists the ways to evaluate the TARA method in the literature.

Threat Analysis and Risk Assessment Tools
Microsoft reat Modeling Tool 2016 (MTMT) is a threat modeling and analysis tool based on the STRIDE method, which can help users find potential threats in the early stage of system design. e user should first establish a data flow diagram (DFD) to describe the communication between different components of the system. en, MTMT automatically detects and analyzes the DFD. Finally, it will present a list of the potential threats in the system. Figure 6 is a DFD established with MTMT, which shows the scenario of information interaction between OBU and RSU. MTMT can also record the results of threat modeling and analysis by generating reports so that users can view them at any time. Although MTMT can accurately and comprehensively display the potential threats in the system, it can neither link the threats with the asset losses caused by the attack nor provide a complete system view for threat analysis and risk management.
SecuriCAD can help users to complete network modeling. It can simulate different types of network attacks and obtain the quantitative results of the system risks. e threat model in SecuriCAD is mainly composed of three components: host, network, and attacker. Figure 7 is a partial model of the 2015 Cadillac Escalade vehicle network constructed by Xiong et al. [38], where host mainly refers to ECUs and network includes CAN, LIN, MOST, and ethernet. ese are the assets that need to be protected in the system. en, it assigns corresponding security settings to different assets and classifies the impact of different attacks. Finally, SecuriCAD acts as an inference engine to simulate the attacks on the created threat model. e results of the simulation are as follows: (i) Risk matrix: according to the consequence and probability, the risks are divided into four levels: critical, high risk, medium risk, and low risk (ii) Attack path: it shows the attack path of an attack, which presents the possible composition of vulnerabilities used by an attack; it also shows the likelihood of the attack path (iii) Time-to-compromise (TTC): it presents the effort for an attacker to implement a successful attack under a given probability GROOVE is a tool, which uses simply labeled graphs and single push-out (SPO) transformation rules to transform a general graph. GROOVE can recursively apply transformation rules to a given graph. Karray et al. [29] used GROOVE to model the car architectural graph and transformation rules, in order to construct attack tress and analyze attacks to a connected vehicle. GROOVE can model the network architecture of the vehicle. According to the initial state of the model and the preset conversion mechanism, it can generate the corresponding state space, which is the attack graph. If there are vulnerabilities in a state in the attack graph, this state can be regarded as the root of the attack tree. en, check the other state in the attack tree, and the corresponding attack tree can be derived.
OMNeT++ is an open-source, modular, componentbased C++ simulation library and framework that can be used to simulate vehicle networks. OMNeT++ can easily build network models and has high simulation granularity. In addition, it can also perform network attack simulation and threat analysis. e data recording function can reflect the impact of different types of attacks on the data in the network. Figure 8 shows the network model of automotive ethernet architecture. Santhosh et al. [39] used this tool to establish a Sybil attack model against vehicle queues and evaluated the impact of the attack on vehicle network performance.
Practical reat Analysis (PTA) is a tool that can be used for threat modeling and automatic calculation of risk assessment results. At first, it needs to set various parameters such as system assets, threats, exploited vulnerabilities, corresponding mitigation measures, attack types, and attack entry points in a PTA project. e threat model is stored in a dynamic database so that the model parameters can support dynamic changes. By continuously revising the parameters of the model, it can ensure that the risk assessment and security management process can be carried out continuously and effectively. Figure 9 shows a threat builder of the replay attack in CAN bus. It constructs a specific threat scenario to show the vulnerabilities that a certain threat can use to attack the assets of the system. At the same time, countermeasures for the threat should be added. Finally, PTA can simulate and calculate information such as the extent of damage to assets and the effectiveness  detectability, disclosure of data, unawareness, and noncompliance. It can ensure data security and privacy protection. However, when the number of threats in the system increases rapidly, the complexity of the system will also increase, which is not conducive to large-scale system analysis.
No VAST [23] VAST stands for visual, agile, and simple threats.
It is extensible and suitable for large system analysis.

No
Markov chain [24,25,26] Markov chain is a stochastic process with Markov property in probability theory and mathematical statistics and exists in discrete index set and state space. It is able to make a quantitative analysis of threats. e concept of time is introduced to make the process of threat analysis dynamic. It can model and analyze the attack process and defense process at the same time.
No GTS (graph transformation system) [29] is method is a rule-based modeling approach that allows capturing the structural as well as behavioral aspects of a system. Its structure is simple, and its logic is clear. It is easy to understand and able to split and combine the structure quickly, facilitating cooperative development.

No
Bayesian network [27,28] Bayesian network is an extension of the Bayesian method. It is one of the most effective theoretical models in the field of uncertain knowledge expression and reasoning, and it is a probabilistic graphical model. It can realize the quantitative analysis of threat risk. It can be combined with threat analysis methods such as EIVTA and CVSS.
No UML-based model [30] is method proposes a formal framework to detect attack surfaces automatically on systems modeled in UML. e formal expression is clear and will not cause ambiguity. UML makes the system structure intuitively displayed and easy to understand, but UML language is difficult for nonprofessional engineers.
No SysML-Sec [31] SysML-Sec is a SysML-based model-oriented approach. It is a coanalysis method that considers safety and is capable of covering all design and development phases.
Yes STPA-Sec [32] STPA-Sec is a top-down safety and security risk analysis method.
is method can analyze the safety and security scenario in the concept phase. However, this method does not consider the network and system architecture. It is difficult for some important terms in this method to take into account both safety and security scenarios.
Yes STPA-SafeSec [33] STPA-SafeSec inherits STPA's technical achievements in system theory, attribution models, safety constraints, and hazard control activity analysis. It refines the analysis process framework for information-physical systems and expands the integration of physical security and information security requirements.
Security constraints are added, and the attribution mapping between the control layer and component layer is provided.

Yes
Tree-based ATA (attack tree analysis) [34,35] Attack tree analysis is a formal and clear method used to describe the security threats faced by the system and the various attacks that the system may be subjected to. It is able to describe the complex attack process in the form of a tree, but this method requires more details of the system design. Detailed system design is required, so it is not suitable for concept evaluation. In addition, for large systems, the refinement of the attack tree may be a tedious task and error-prone.
No RISKEE (risk tree) [36] RISKEE is based on attack graphs and the diamond model in combination with the FAIR method for assessing and calculating risk. e RISKEE method can realize the quantitative calculation of risk, but it did not consider the dynamic impact of mitigation measures on the system.

Yes
BDMP (Boolean-logic Driven Markov Processes) [5,6] BDMP is an approach where fault tree and attack tree analysis are combined and extended with temporal connections. It expands the ability of fault tree analysis and attack tree analysis to describe threats. Nevertheless, BDMP is inappropriate for an early development phase of threat analysis and risk assessment.
Yes of the countermeasures in the specific threat scenario. e results of the simulation can be displayed in the form of a report. e content of the report includes the basic parameters of the threat model, the analysis of the effectiveness of countermeasures, and the security level of the system.

Study Evaluation
HAIDAR et al. [10] ey apply TVRA methodology to the pseudonymity mechanisms used for V2X communication aspects of C-ITS.
Dürrwang et al. [8] ey evaluate the effectiveness of the method by letting 30 non-security-professional employees of the University of Applied Sciences in Karlsruhe use the method. Cui and Sabaliauskaite [11] ey use US 2 to analyze the threat of autonomous vehicles and demonstrate the analysis results.
Hagan et al. [9] ey present a realistic use case of a connected car and several attack scenarios.
Macher et al. [12] ey apply the SAHARA approach for an automotive battery management system (BMS). For this specific example, the SAHARA approach identifies more hazardous situations than the traditional HARA (34%) approach. Schmittner et al. [14] e scenario they consider is an attack or failure in the firmware over the air (FOTA) functionality.
Lee et al. [16] Use case 1: enhanced Android app-repackaging attack on in-vehicle network. Use case 2: viable attack path and effective protection against ransomware in modern cars.
Use case 3: wireless attack on the connected car and security protocol for CAN.
Halabi et al. [21] e evaluation is mainly based on the effectiveness of the defense system compared with other defense strategies that do not consider the attacker's ability to launch intelligent attacks. Monteuuis et al. [18] ey show SARA feasibility with two uses: vehicle tracking and comfortable emergency brake failure. Karray et al. [29] ey use the modeling of the vehicle speed acquisition system as an example.
Li et al. [27] A typical dynamic scene is used to demonstrate the proposed method. A car equipped with GNSS/INS will go through a city canyon where GNSS navigation signals are blocked. ey apply the method to infer a belief for the likelihood of threats and risks for GPS signals. Kaja et al. [37] e method is benchmarked against EVITA and HEAVENS for validation purposes.

Security and Communication Networks
SeaMonster is a security modeling tool for threat models. It supports the use of common graphic symbols to build attack tree models and misoperation models. e newly created models can be connected to the database to be shared and reused. OWASP reat Dragon is also a tool, which uses graphic symbols to create a threat model diagram. Figure 10 shows a simple model of FOTA made by OWASP reat Dragon. It supports STRIDE, LINDDUN, and CIA (confidentiality, integrity, and availability). According to the provided threat modeling diagram and rule engine, it can automatically generate potential threats in the model and give corresponding mitigations. e comparison of the performance of TARA tools above is summarized in Table 5. By comparing the performance of different TARA tools, we can understand the characteristics of existing tools so that users can quickly find suitable threat analysis tools.

Attack-Defense Mapping
Attack-defense mapping is a method to map threats to mitigations. Analysis of mitigation commonly used is mainly based on expert experience. It makes the process of finding mitigation inflexible and difficult to expand. Even  though the best mitigation measures for the same threat may be different under different application scenarios, completely copying expert experience will reduce the defense effect. Compared to relying entirely on expert experience, the process of attack-defense mapping should contain some theoretical bases, such as quantitative analysis and model-based method. It shows how to methodically select an effective and efficient countermeasure against the attack after finding threats. Designing the defense strategy with an attack-defense mapping approach  can also help researchers to design mitigations for their systems. is section presents a review of attack-defense mapping. e methods are mainly the following five: attack-defense tree, game-theoretic approach, feedbackbased method, designed-rule-based method, and benefitcost assessment, which are listed in Table 6.

Attack-Defense Tree Approach.
Attack-defense tree model is a systematic and intuitive approach used to analyze the ability of networks to handle various types of attacks. It combines the attacks with the defending strategies. An attack tree is an analysis-based technique that uses a tree-based structure to simulate multistage attacks. e defending nodes express countermeasures that can mitigate the potential harm caused by the attacks. e validity and the objectivity of defending nodes should be verified. e structure of the attack-defense tree model is illustrated in Figure 11.
In 2016, Bahamou et al. [40] added countermeasures to the attack trees and obtained the attack-defense tree model. ey built an attack-defense tree for vehicular network privacy, where they combined attacks with defense mechanisms. ey introduced countermeasures to mitigate the risk for each subgoal or leaf node. For example, reinforcing the network firewall is the mitigation against the application layer attack according to their attack-defense tree. In 2020, Cui and Zhang [17] proposed an efficient security risk analysis method, Vehicles Risk Analysis (VeRA). ey assessed the risk value by considering the attack probability, severity, and human control and used the attack-defense tree to describe the risk analysis process. e attack nodes are formed like "attack goal -> attack method -> detailed attack -> attack entry point," and the defending nodes can show the mitigation to relieve the related attack.

Game-eoretic Approach.
e game-theoretic approach combines attack-defense tree with game theory. Game theory is a study of the mathematical model of strategic interaction among rational decision-makers. e game-theoretic approach can provide in-depth knowledge of the strategies adopted by attackers and defenders. According to the attack-defense tree, the attacker has several attack methods to achieve the attack goal, and each attack method may correspond to several countermeasures. e meaning of the game theory is to help defenders choose the best mitigation and maximize their payoff. First, an attack-defense tree should be established, so all the potential attacks and mitigations can be listed. en by applying game theory on the tree, the defender can reach optimal mitigation, which is tightly related to the attack strategies. However, the gametheoretic approach is founded on the fact that the players act rationally, which sometimes is not possible in reality. Besides, the utility function needs to be properly designed.
In different papers, the calculation of Return on Investment (ROI) and Return on Attack (ROA), which are the utility functions, may be different. Table 7 compares the different calculations of ROI and ROA. In 2016, Garg and Aujla [41] combined an attack-defense tree with a gametheoretic approach to analyze SSL SYN attacks in VANETs. ey built the attack-defense tree to identify and tackle the attacks. e risk priority number (RPN) of each leaf node is calculated by three parameters, namely, severity, occurrence, and detection, to identify the priority in which risk needs to be addressed. ey used RPN, expected gain (EG), expected loss (EL), cost of investment (COI), and additional cost (AC) to calculate ROI and ROA. e defender needs to choose the countermeasure to maximize his/her own payoff. ey considered different levels of the parameters to calculate ROI and ROA so that the effectiveness can be maintained. In 2019, Garg et al. [42] evaluated a game-theoretic scheme by using a case study for the distributed denial-of-service attack. An attack-defense tree was designed to depict every move of the defender concerning the attacker's strategies. e attacker's move and the defender's move are shown in Figure 12. ey used a game-theoretic scheme to analyze the impact of ROI and ROA on attacker's and defender's moves. Calculation of ROI and ROA is shown in Table 7, where EL is the expected loss incurred to attack, RR is the risk reduction with the countermeasure, COI is the cost of investment, EG is the expected gain, C A is the cost to launch an attack, and C AD is the additional cost to attack the countermeasure. e defense strategy is designed preemptively for each step of the attack. In 2017, Bahamou et al. [43] built an attack-defense

Feedback-Based Approach.
is kind of method finds the appropriate mitigation by reevaluating the risk value. By iterating or comparing different mitigations, the most effective mitigation will be found. It is an effective method for the engineers to design the mitigation according to the risk assessment. However, the iterative process has a heavy workload and often requires semiautomated software support. It also takes much time to build the mitigation testing scenarios.
Longari et al. [45] demonstrated a semiautomated and topology-based risk analysis framework. is framework can assess the security of automotive onboard networks and give some mitigations. It takes the topology as input and evaluates its global risk value. en, the mitigation is iteratively implemented by changing the network topology. Finally, it finds mitigation that minimizes the global risk value. is kind of method is also effective for connected and autonomous driving scenarios. Le and Maple [44] used a knowledge-based system to identify the critical threats and detected the changes in the security context of the CAV and the surrounding environments. en, they captured the dynamic risks and adjusted the countermeasures as needed. In Figure 13, dynamic mitigation was applied, which combined the two best mitigations in a jamming attack. erefore, the CAV could gain the lowest risk in different situations with the dynamic mitigation. It is systematic and intuitive. e validity and objectivity of the defending nodes need to be verified. Game-theoretic approach It reflects the strategies adopted by attackers and defenders.
e mitigations are tightly related to the risks. It assumes that the players' actions are rational, which is not always possible.

Feedback-based approach
It iterates and compares the mitigations by reevaluating the risk levels to find the appropriate mitigation.
It is an effective method to design the mitigations, but the process often contains heavy computation and requires semiautomated software. Designed-rulebased approach It performs mapping with a designed    [41] (EL * RPN − COI)/COI (EG * (1 − RPN) − (COI + AC))/(COI + AC) Garg et al. [42] (EL * RR − COI)/COI (EG * (1 − RR) − (C A + C AD ))/(C A + C AD ) Bahamou et al. [43] ((ALE * RM) − CSI)/CSI (GI * (1 − RM) − (Coast a + Cost ac ))/(Coast a + Cost ac ) Suo and Sarma [46] presented a framework for constructing testing scenarios driven by cyber threats. e engineers can select the highest risk threats in the attack tree and build test cases with several scenarios. Each mitigation strategy will be tested against a set of scenarios and iterated. It can help the engineers to find the appropriate mitigation against the risk effectively and quickly in the design process. Besides, the Bayesian defense graph provides a method to calculate the likelihood of threats, which helps to achieve feedback analysis. Behfarnia and Eslami [28] used Bayesian defense graphs to analyze the risk of autonomous vehicles in order to study the effect of countermeasures. ey built a defense graph using the Bayesian network model and parameterized elements of the graph. en, the probability of risk for a set of countermeasures could be inferred with the graph. eir case study used the model and found that the likelihood of threats for GPS signals could be reduced to 0.001% when several kinds of antispoofing techniques were employed.

Designed-Rule-Based Approach.
is method designs a table that maps the corresponding countermeasures to the results of threat analysis. Although it is an efficient and easy way for mapping, it will lead to subjectivity and bias in the  Figure 12: Moves of attacker and defender [42]. countermeasures if the designed table lacks clear and precise definitions.

Risks of different mitigation strategies
In 2018, Rosenstatter and Olovsson [47] introduced a mapping from automotive security levels to security mechanisms. ey classified the threat into six security attributes, and each attribute had a security level ranging from zero to four. en, they designed a direct mapping, with which the designers can easily obtain the mandatory countermeasures required for specific security levels. It makes the security design much more efficient and easier, but the mechanisms have to be validated with more cases. In 2019, Cui and Sabaliauskaite [11] demonstrated a Unified Safety and Security (US 2 ) analysis method. It evaluates the security risks with a security level (SEL), which uses three parameters, namely, attack potential, threat criticality, and DAL focus. US 2 provides a table that combines the SEL, the ASIL, and the corresponding countermeasures. It is a useful tool for selecting appropriate safety and security countermeasures for autonomous vehicles depending on the risk level.

Benefit-Cost Assessment Approach.
Benefit-cost assessment is a method that provides mitigation to reduce costs as much as possible while achieving the best defending effect. Since the efforts undertaken for protection may be exceeded by the efforts undertaken to break the protection, the selection of countermeasures is usually based not only on the technical possibility but also on a cost-benefit assessment. Many factors need to be considered in the estimate of cost and benefit. e more precise the estimate, the more effective the mapping that can be obtained.
Rocchetto et al. [48] performed a cost/benefit trade-off analysis to justify the necessary costs implied by the corresponding countermeasures and the adoption of specific security requirements. ey proposed two different costs, the cost for the attackers and the cost to mitigate the vulnerability. e estimate of the mitigation cost depends on many factors, such as the value of the asset to be protected. e estimate of attack cost can be defined by the CVSS.

Discussion of Future Developments
In this section, the directions of future developments in TARA in the automotive field are discussed. e future research fields include the formal quantitative TARA approaches, the TARA methods with trade-off considerations, and the data-driven TARA process.
6.1. Formal and Quantitative TARA Approaches. At present, domestic and foreign scholars have established a variety of cybersecurity threat analysis frameworks, but the analysis process is highly subjective and lacks quantitative analysis. e formal and quantitative TARA approaches are a research direction that can effectively solve this problem. e formal quantitative threat analysis method uses standardized languages such as SysML to formally describe the system under test and conduct threat modeling at the system level. In addition, through formal modeling, probabilistic analysis of vehicle system network security can be achieved, thereby achieving more detailed quantitative TARA.

TARA Methods with Trade-Off Considerations.
e increasing interactivity between cyber and vehicle systems and connectivity give rise to new safety and security challenges. Since cybersecurity attacks can affect the functional safety of vehicles, it is unrealistic to strengthen the overall defense level without either side. In addition, too many security defense mechanisms not only will increase the overall vehicle cost, but may even affect the user experience [22]. erefore, considering the trade-offs of security, safety, vehicle cost, and user experience is an important direction of TARA methods.
6.3. Data-Driven TARA Process. As modern vehicles increasingly exchange data with the cloud, OEMs can collect more real data from users' vehicles. A large amount of data can bring many possibilities for TARA. For example, the TARA process based on machine learning algorithms has very high requirements for data magnitude. Large-scale data can provide a guarantee for the accuracy of threat model training.
e data-driven TARA process is a new research direction.

Conclusion
In this survey, the methods of TARA in the automotive field have been analyzed and compared. All the methods are classified so that researchers can quickly and deeply understand the field of TARA. e ways to evaluate the TARA methods in the literature are also summarized. We have introduced several commonly used TARA tools, and the performance of these tools is compared. In addition, a concept of attack-defense mapping has been proposed, which focuses on how to match the appropriate mitigation measures after finding threats and vulnerabilities. is concept provides a theoretical basis for TARA and makes the whole process more flexible and convincing. We have classified the attack-defense mapping methods into five categories and then analyzed and compared them. Furthermore, the directions of future developments in TARA for automotive domain are discussed.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.