According to RQ-15-08 Note 1 from ISO 21434, an attack path analysis can be based on:<br/><br/>— top-down approaches that deduce attack paths by analyzing the different ways in which a threat scenario could be realised, e.g. attack trees, attack graphs; and/or<br/>— bottom-up approaches that build attack paths from the vulnerabilities identified.<br/><br/>If this partial attack path does not lead to a threat scenario, it does not have to be pursued any further.<br/><br/>According to RQ-15-09, each attack path must be associated with a threat scenario that can also be implemented via this attack path.<br/><br/>According to NOTE 3, the attack path has to be adjusted again and again during the development of a product, since at the beginning of product development there are still too imprecise or incomplete due to a lack of details.<br/><br/>Example:<br/>— Threat scenario: spoofing of CAN messages for the braking ECU leads to loss of integrity of the CAN messages and thereby to loss of integrity of the braking function.<br/>— Attack path realizing the above threat scenario:<br/>i. the telematics ECU is compromised via the cellular interface;<br/>ii. the gateway ECU is compromised via CAN communication from the telematics ECU;<br/>iii. the gateway ECU forwards malicious braking request signals (unwanted rapid deceleration).<br/><br/>The attack path analysis is based on an attack path through a more extensive attack tree according to the ISO 21434. <br/>The present modelling with SubAttackGroups, which results in an attack tree, is therefore the necessary basis for a standard-compliant attack path analysis.<br/><br/>Attacks can have multiple subattacks. These subattacks can be linked either with an AND, OR or CUSTOM connector.<br/><br/>The default kind used for security attack trees is OR.<br/><br/>Semantics:<br/><br/>Attack trees describe the semantic of the hierarchy and sequence of attacks.<br/>We defined two ways to read those attack trees:<br/>For every attack (higher in the tree) to be successful, every sub-attack (attacks lower in the tree) needs to be successful. The root of the tree is the attack behind an adversary’s main motivation and every sub attack is a means to an end for the root attack to succeed.<br/><br/>Attacks that are possible after the particular attack was successful are called “follow-up attacks”. If one or more follow-up attacks are possible after the attack (you can see this because it is a leaf or sub-attack in the tree) the scope of the particular vulnerability needs to be “(C)anged” in CVSS.<br/><br/><br/>Notation:<br/><br/>The SubAttackGroup is shown as a relationship between attacks and subattacks. If the SubAttackGroupKind is AND, a Y-formed relationship is used. If the SubAttackGroupKind is OR, seperate point-to-point relationships are used between attack and each of the subattacks, respectively CUSTOM allows for a combination of the other two options. Example: 3 subattacks: (1 AND 2) OR 3<br/><br/>Extension: Specialization of SysML::Requirement<br/><br/>