As more vehicles are being connected to the Internet and equipped with autonomous driving features, more robust safety and security measures are required for connected and autonomous vehicles (CAVs). Therefore, threat analysis and risk assessment are essential to prepare against cybersecurity risks for CAVs. Although prior studies have measured the possibility of attack and damage from attack as risk assessment indices, they have not analyzed the expanding attack surface or risk assessment indices that rely upon real-time resilience. This study proposes the PIER method to evaluate the cybersecurity risks of CAVs. We implemented cyber resilience for CAVs by presenting new criteria, such as exposure and recovery, in addition to probability and impact, as indices for the threat analysis and risk assessment of vehicles. To verify its effectiveness, the PIER method was evaluated with respect to software update over-the-air and collision avoidance features. Furthermore, we found that implementing security requirements that mitigate serious risks successfully diminishes the risk indices. Using the risk assessment matrix, the PIER method can shorten the risk determination time through high-risk coverage and a simple process.

随着越来越多的车辆连接到互联网并配备自动驾驶功能，联网和自动驾驶汽车 (CAV) 需要更强大的安全和安保措施。因此，威胁分析和风险评估对于防范 CAV 的网络安全风险至关重要。尽管先前的研究已经将攻击的可能性和攻击造成的损害作为风险评估指标进行了衡量，但他们没有分析依赖于实时弹性的不断扩大的攻击面或风险评估指标。本研究提出了 PIER 方法来评估 CAV 的网络安全风险。除了概率和影响之外，我们还提出了新的标准，例如暴露和恢复，作为车辆威胁分析和风险评估的指标，我们为 CAV 实施了网络弹性。为验证其有效性，PIER 方法针对无线软件更新和防撞功能进行了评估。此外，我们发现实施减轻严重风险的安全要求成功地降低了风险指数。使用风险评估矩阵，PIER方法可以通过高风险覆盖和简单的过程来缩短风险确定时间。