{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,12]],"date-time":"2026-02-12T17:44:11Z","timestamp":1770918251842,"version":"3.50.1"},"reference-count":39,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2022,12,27]],"date-time":"2022-12-27T00:00:00Z","timestamp":1672099200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"ECSEL Joint Undertaking (JU)","award":["876852"],"award-info":[{"award-number":["876852"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>The automotive domain is moving away from simple isolated vehicles to interconnected networks of heterogeneous systems forming a complex transportation infrastructure. The additional means of communication result in increased attack surfaces which can be exploited by physical as well as remote attackers if not secured thoroughly. Thus, the automotive sector is exposed to new cyber risk factors. Consequently, joint approaches targeting securing vehicles and infrastructure by identifying and mitigating potential threats for the automotive domain have been developed in several research projects. This paper builds on developments originating from these projects and correlated standards and regulations. Moreover, the extension of an existing threat modeling tool\u2014THREATGET\u2014with a novel automated approach toward attack propagation will be introduced. Therefore, we will conduct an analysis of a real-world example from the automotive domain. Furthermore, we will identify and analyze potential threats and discuss their accumulation to automatically generate an attack tree.<\/jats:p>","DOI":"10.3390\/info14010014","type":"journal-article","created":{"date-parts":[[2022,12,28]],"date-time":"2022-12-28T05:30:27Z","timestamp":1672205427000},"page":"14","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["THREATGET: Towards Automated Attack Tree Analysis for Automotive Cybersecurity"],"prefix":"10.3390","volume":"14","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3332-1671","authenticated-orcid":false,"given":"Sebastian","family":"Chlup","sequence":"first","affiliation":[{"name":"Austrian Institute of Technology GmbH, Giefinggasse 4, 1210 Vienna, Austria"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8873-9122","authenticated-orcid":false,"given":"Korbinian","family":"Christl","sequence":"additional","affiliation":[{"name":"Austrian Institute of Technology GmbH, Giefinggasse 4, 1210 Vienna, Austria"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4430-6813","authenticated-orcid":false,"given":"Christoph","family":"Schmittner","sequence":"additional","affiliation":[{"name":"Austrian Institute of Technology GmbH, Giefinggasse 4, 1210 Vienna, Austria"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9159-8436","authenticated-orcid":false,"given":"Abdelkader Magdy","family":"Shaaban","sequence":"additional","affiliation":[{"name":"Austrian Institute of Technology GmbH, Giefinggasse 4, 1210 Vienna, Austria"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4446-9081","authenticated-orcid":false,"given":"Stefan","family":"Schauer","sequence":"additional","affiliation":[{"name":"Austrian Institute of Technology GmbH, Giefinggasse 4, 1210 Vienna, Austria"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7412-2826","authenticated-orcid":false,"given":"Martin","family":"Latzenhofer","sequence":"additional","affiliation":[{"name":"Austrian Institute of Technology GmbH, Giefinggasse 4, 1210 Vienna, Austria"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2022,12,27]]},"reference":[{"key":"ref_1","unstructured":"Bradley, T. (2022, August 15). Cyber Attacks on Cars up 225 Percent: How Hackers Could be Targeting Your Vehicle. Section: Cars. Available online: https:\/\/www.express.co.uk\/life-style\/cars\/1632500\/hackers-target-drivers-cyber-attacks-cars."},{"key":"ref_2","unstructured":"Blum, B. (2022, August 15). Cyberattacks on Cars Increased 225% in Last Three Years. Available online: https:\/\/www.israel21c.org\/cyberattacks-on-cars-increased-225-in-last-three-years\/."},{"key":"ref_3","unstructured":"(2022, August 16). 1 in 3 Automotive Cyber Incidents Result in Car Theft or Break-Ins\u2014Atlas VPN. Available online: https:\/\/atlasvpn.com\/blog\/1-in-3-automotive-cyber-incidents-result-in-car-theft-or-break-ins."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Schmittner, C., Schrammel, B., and K\u00f6nig, S. (2021). Asset Driven ISO\/SAE 21434 Compliant Automotive Cybersecurity Analysis with ThreatGet. Proceedings of the European Conference on Software Process Improvement, Krems, Austria, 1\u20133 September 2021, Springer.","DOI":"10.1007\/978-3-030-85521-5_36"},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Schmittner, C., Dobaj, J., Macher, G., and Brenner, E. (2020). A preliminary view on automotive cyber security management systems. Proceedings of the 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE), Grenoble, France, 9\u201313 March 2020, IEEE.","DOI":"10.23919\/DATE48585.2020.9116406"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Schmittner, C., Tummeltshammer, P., Hofbauer, D., Shaaban, A., Meidlinger, M., Tauber, M., Bonitz, A., Hametner, R., and Brandstetter, M. (2019, January 4\u20136). Threat Modeling in the Railway Domain. Proceedings of the International Conference on Reliability, Safety, and Security of Railway Systems, Lille, France.","DOI":"10.1007\/978-3-030-18744-6_17"},{"key":"ref_7","unstructured":"Shevchenko, N. (2022, December 14). Threat Modeling: 12 Available Methods. Available online: https:\/\/insights.sei.cmu.edu\/sei_blog\/2018\/12\/threat-modeling-12-available-methods.html."},{"key":"ref_8","unstructured":"Lautenbach, A., and Islam, M. (2022, August 11). The HEAling Vulnerabilities to ENhance Software Security and Safety (HEAVENS) Project\u2014Security Models. Available online: https:\/\/autosec.se\/wp-content\/uploads\/2018\/03\/HEAVENS_D2_v2.0.pdf."},{"key":"ref_9","unstructured":"Shostack, A. (2014). Threat Modeling: Designing for Security, Wiley. OCLC: 855043351."},{"key":"ref_10","unstructured":"Hamad, M. (2020). A Multilayer Secure Framework for Vehicular Systems, Technische Universit\u00e4t Braunschweig."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Khan, R., McLaughlin, K., Laverty, D., and Sezer, S. (2017, January 26\u201329). STRIDE-based threat modeling for cyber-physical systems. Proceedings of the 2017 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe), Torino, Italy.","DOI":"10.1109\/ISGTEurope.2017.8260283"},{"key":"ref_12","unstructured":"(2022, August 12). The Ultimate Beginner\u2019s Guide to Threat Modeling. Available online: https:\/\/shostack.org\/resources\/threat-modeling.html."},{"key":"ref_13","unstructured":"Allen-Addy, C. (2022, December 14). Threat Modeling Methodology: TRIKE. Available online: https:\/\/www.iriusrisk.com\/resources-blog\/trike-threat-modeling-methodologies."},{"key":"ref_14","unstructured":"Threatmodeler (2022, December 14). Threat Modeling Methodologies: What is VAST?. Available online: https:\/\/threatmodeler.com\/threat-modeling-methodologies-vast\/."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Smith, C. (2016). The Car Hacker\u2019s Handbook: A Guide for the Penetration Tester, No Starch Press.","DOI":"10.4271\/1593277032"},{"key":"ref_16","unstructured":"Shaaban, A. (2021). An Ontology-Based Cybersecurity Framework for the Automotive Domain-Design, Implementation, and Evaluation. [Ph.D. Thesis, Faculty of Computer Science, University of Vienna]. Available online: https:\/\/utheses.univie.ac.at\/detail\/59948."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Goswami, D., Schneider, R., Masrur, A., Lukasiewycz, M., Chakraborty, S., Voit, H., and Annaswamy, A. (2012). Challenges in automotive cyber-physical systems design. Proceedings of the 2012 International Conference on Embedded Computer Systems (SAMOS), Samos, Greece, 16\u201318 July 2012, IEEE.","DOI":"10.1109\/SAMOS.2012.6404199"},{"key":"ref_18","unstructured":"Pauker, F., Mangler, J., Rinderle-Ma, S., and Pollak, C. (2018, January 9\u201314). Centurio. work-modular secure manufacturing orchestration. Proceedings of the 16th International Conference on Business Process Management 2018, Sydney, Australia."},{"key":"ref_19","unstructured":"AVL (2020, October 10). Automotive Cybersecurity\u2014A Holistic Approach to the Protection of Vehicles. Available online: https:\/\/www.avl.com\/web\/guest\/services1\/-\/asset_publisher\/gYjUpY19vEA8\/content\/automotive-cyber-security."},{"key":"ref_20","unstructured":"EVITA (2022, August 15). E-Safety Vehicle Intrusion Protected Application\u2014FINAL DRAFT. Available online: https:\/\/trimis.ec.europa.eu\/sites\/default\/files\/project\/documents\/20130702_175923_78998_EVITA_ProjectSummary.pdf."},{"key":"ref_21","unstructured":"OVERSEE (2022, August 15). The Application Store for Cars: Secure Download of Your Favorite Apps into Your Car. Available online: https:\/\/www.oversee-project.com\/fileadmin\/oversee\/press_releases\/OVERSEE-Pressrelease-1-EN.pdf."},{"key":"ref_22","unstructured":"Olsson, M. (2022, August 15). HEAling Vulnerabilities to ENhance Software Security and Safety. Available online: https:\/\/www.vinnova.se\/globalassets\/mikrosajter\/ffi\/dokument\/slutrapporter-ffi\/elektronik-mjukvara-och-kommunikation-rapporter\/2012-04625eng.pdf."},{"key":"ref_23","unstructured":"(2021). Cybersecurity Guidebook for Cyber-Physical Vehicle Systems (Standard No. J3061_202112)."},{"key":"ref_24","unstructured":"(2021). Vehicles\u2014Cybersecurity Engineering (Standard No. ISO\/SAE 21434 Road)."},{"key":"ref_25","unstructured":"ETSI (2010). Intelligent Transport Systems (ITS); Security; Threat, Vulnerability and Risk Analysis (TVRA), European Telecommunications Standards Institute (ETSI). Technical Report."},{"key":"ref_26","unstructured":"UNECE, U.N.E.C.f.E (2020, February 25). Draft New UN Regulation on Uniform Provisions Concerning the Approval of Vehicles with Regard to Cyber Security and of Their Cybersecurity Management Systems. Available online: https:\/\/unece.org\/DAM\/trans\/doc\/2020\/wp29grva\/GRVA-05-05r1e.pdf."},{"key":"ref_27","unstructured":"(2022, December 20). Microsoft Threat Modeling Tool Getting Started Guide, Microsoft Trustworthy Computing. Available online: https:\/\/download.microsoft.com\/download\/4\/F\/D\/4FDDEA98-4ABD-47A7-AA0E-815CE8660A76\/Threat%20Modeling%20Tool%202016%20Getting%20Started%20Guide.docx."},{"key":"ref_28","unstructured":"(2022, December 20). Microsoft Threat Modeling Tool User Guide, Microsoft Trustworthy Computing. Available online: https:\/\/download.microsoft.com\/download\/4\/F\/D\/4FDDEA98-4ABD-47A7-AA0E-815CE8660A76\/Threat%20Modeling%20Tool%202016%20User%20Guide.docx."},{"key":"ref_29","unstructured":"Eng, D. (2017). Integrated Threat Modelling. [Master Dissertation, Universitetet i Oslo]."},{"key":"ref_30","unstructured":"Wolf, M. (2019). Combining Safety and Security Threat Modeling to Improve Automotive Penetration Testing. [Master\u2019s Thesis, Universit\u00e4t Ulm]."},{"key":"ref_31","unstructured":"(2022, July 18). OWASP Threat Dragon | OWASP Foundation. Available online: https:\/\/owasp.org\/www-project-threat-dragon\/."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Williams, I., and Yuan, X. (2015). Evaluating the effectiveness of Microsoft threat modeling tool. Proceedings of the 2015 Information Security Curriculum Development Conference on\u2014InfoSec \u201915, Kennesaw, Georgia, 15\u201317 November 2015, ACM Press.","DOI":"10.1145\/2885990.2885999"},{"key":"ref_33","unstructured":"Christl, K., and Tarrach, T. (2021). The analysis approach of ThreatGet. arXiv."},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"973","DOI":"10.1016\/j.jcss.2014.02.005","article-title":"A survey of emerging threats in cybersecurity","volume":"80","author":"Nepal","year":"2014","journal-title":"J. Comput. Syst. Sci."},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"214","DOI":"10.1016\/j.cose.2018.03.001","article-title":"A systematic survey on multi-step attack detection","volume":"76","author":"Navarro","year":"2018","journal-title":"Comput. Secur."},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"31","DOI":"10.4204\/EPTCS.148.3","article-title":"Towards Automating the Construction & Maintenance of Attack Trees: A Feasibility Study","volume":"148","author":"Paul","year":"2014","journal-title":"Electron. Proc. Theor. Comput. Sci."},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"100219","DOI":"10.1016\/j.cosrev.2019.100219","article-title":"A review of attack graph and attack tree visual syntax in cyber security","volume":"35","author":"Lallie","year":"2020","journal-title":"Comput. Sci. Rev."},{"key":"ref_38","unstructured":"Schneier, B. (2022, December 20). Academic: Attack Trees\u2014Schneier on Security. Available online: https:\/\/www.schneier.com\/academic\/archives\/1999\/12\/attack_trees.html."},{"key":"ref_39","unstructured":"Shanker, S. (2016). Enhancing Automotive Embedded Systems with FPGAs. [Ph.D. Thesis, Nanyang Technological University]."}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/14\/1\/14\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T01:53:10Z","timestamp":1760147590000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/14\/1\/14"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,12,27]]},"references-count":39,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2023,1]]}},"alternative-id":["info14010014"],"URL":"https:\/\/doi.org\/10.3390\/info14010014","relation":{},"ISSN":["2078-2489"],"issn-type":[{"value":"2078-2489","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,12,27]]}}}