A Quantitative Methodology for Systemic Impact Assessment of Cyber Threats in Connected Vehicles

The increasing integration of digital technologies in connected vehicles introduces cybersecurity risks that extend beyond individual vehicles, with the potential to disrupt entire transportation systems. Current practice (e.g., ISO/SAE~21434 TARA) focuses on threat identification and qualitative impact ratings at the vehicle boundary, with limited systemic quantification. This study presents a systematic, simulation-based methodology for quantifying the systemic operational and safety impacts of cyber threats on connected vehicles, evaluating cascading effects across the transport network. Three representative scenarios are examined: (I) telematics-induced sudden braking causing a cascading collision, (II) remote disabling on a motorway (M25) segment, and (III) a compromised Roadside Unit (RSU) spoofing Variable Speed Limit (VSL) and phantom lane closure messages to connected and automated vehicles (CAVs). The results highlight the potential for cascading safety incidents and systemic operational degradation, as evidenced by the defined systemic operational and safety vectors, factors that are insufficiently addressed in the current scope of the ISO/SAE 21434 standard, which primarily focuses on individual vehicle-level threats. The findings underscore the need to incorporate systemic evaluation into existing frameworks to enhance cyber resilience across connected vehicle ecosystems. The framework complements ISO/SAE~21434 by supplying quantitative, reproducible evidence for the impact rating step at a systemic scale, reducing assessor subjectivity and supporting policy and operations, enabling more data-driven evaluations of systemic cyber risks.