Exploring policy controls
Just as with the vehicle-level analysis, policy controls must be applied at the ECU level to prohibit design decisions that unreasonably increase the attack surface and significantly alter the threat model of an ECU. Examples of attack surface reduction policy controls are the requirement that all debug interfaces are either locked or disabled, the removal of code profilers, and the elimination of security log traces from production intent builds. The removal of such tools and abilities lowers the attack feasibility related to reconnaissance and the discovery of ECU weaknesses and has a significant return on investment (ROI) in terms of risk elimination. An organization can also enforce policy controls to prohibit certain design choices that would alter fundamental assumptions made during threat modeling. For example, assume the threat model considers that all external network connectivity is filtered through a central gateway. For improved customer experience...
