CASCADE: An Asset-driven Approach to Build Security Assurance Cases for Automotive Systems MAZEN MOHAMAD, Chalmers and University of Gothenburg, Sweden RODI JOLAK, Chalmers and University of Gothenburg, Sweden ÖRJAN ASKERDAL, Volvo Trucks, Sweden JAN-PHILIPP STEGHÖFER, Chalmers and University of Gothenburg, Sweden RICCARDO SCANDARIATO, Hamburg University of Technology, Germany Security Assurance Cases (SAC) are structured arguments and evidence bodies used to reason about the security of a certain system. SACs are gaining focus in the automotive industry as the needs for security assurance are growing in this domain. However, the state of the arts lacks a mature approach able to suit the needs of the automotive industry. In this paper, we present CASCADE, an asset-driven approach for creating SAC, which is inspired by the upcoming security standard ISO/SAE-21434 as well as the internal needs of automotive Original Equipment Manufacturers (OEMs). CASCADE also diferentiates itself from the state of the art by incorporating a way to reason about the quality of the constructed security assurance case. We created the approach by conducting an iterative design science research study. We illustrate the results using the example case of the road vehicle’s headlamp provided in the ISO standard. We also illustrate how our approach aligns well with the structure and content of the ISO/SAE-21434 standard, hence demonstrating the practical applicability of CASCADE in an industrial context. Additional Key Words and Phrases: security, assurance cases, automotive systems 1 INTRODUCTION Assurance cases are structured bodies of arguments and evidence used to reason about a certain property of a system. Security Assurance Cases (SAC) are a type of assurance case for the ield of cyber-security. In this paper, we turn our attention to the creation of a SAC, with a particular focus on the domain of automotive applications. As vehicles become more advanced and connected, security scrutiny has increased in this domain. Furthermore, new standards and regulations push towards assuring security for vehicular systems by using SAC. Similar to safety cases, which are required in safety standards, e.g., ISO-26262 [19], SACs are explicitly required in ISO/SAE-21434 [20]. Additionally, SACs are required for all systems in production. In literature, some studies suggest the creation of SAC based on requirements derived from security standards [6, 9]. However, there is no approach which helps to achieve conformance with the upcoming ISO/SAE-21434 standard. Additionally, since the requirements for SAC are new, there is no evidence in the literature that the knowledge base in industry is mature enough to achieve conformity to these requirements. Moreover, quality assurance of the SACs is missing in the reported approaches in literature, even though it is a very important aspect. In order for diferent stakeholders to use an SAC, it is essential to trust that the SAC’s argument is built with a suicient level of completeness, and that the evidence provides a suicient level of conidence to justify the targeted claims. Finally, Authors’ addresses: Mazen Mohamad, mazen.mohamad@gu.se, Chalmers and University of Gothenburg, Gothenburg, Sweden; Rodi Jolak, rodi.jolak@cse.gu.se, Chalmers and University of Gothenburg, Gothenburg, Sweden; Örjan Askerdal, orjan.askerdal.3@volvo.se, Volvo Trucks, Gothenburg, Sweden; Jan-Philipp Steghöfer, jan-philipp.steghofer@gu.se, Chalmers and University of Gothenburg, Gothenburg, Sweden; Riccardo Scandariato, riccardo.scandariato@tuhh.de, Hamburg University of Technology, Hamburg, Germany. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for proit or commercial advantage and that copies bear this notice and the full citation on the irst page. Copyrights for third-party components of this work must be honored. For all other uses, contact the owner/author(s). © 2022 Copyright held by the owner/author(s). XXXX-XXXX/2022/11-ART https://doi.org/10.1145/3569459 ACM Transactions on Cyber-Physical Systems