Future automotive systems will be connected with other vehicles and information systems for improved road safety, mobility and comfort. This new connectivity establishes data and command channels between the internal automotive system and arbitrary external entities.One significant issue of this paradigm shift is that formerly closed automotive systems now become open systems that can be maliciously influenced through their communication interfaces. This introduces a new class of security challenges for automotive design. It also indirectly impacts the safety mechanisms that rely on a closed-world assumption for the vehicle.We present a new security analysis approach that helps to identify and prioritize security issues in automotive architectures. The methodology incorporates a new threat classification for data flows in connected vehicle systems.