EN 
DE 
What goals, requirements, and guidelines serve as the basis for a shared understanding of the cybersecurity perspective in the development of road vehicles? How are the processes defined and the risks managed in accordance with ISO 31000?
The second part of the series examines project-specific cybersecurity management – goals, planning and assessment.
Since the composition of participating individuals and teams differs in each project, the Responsibilities The cybersecurity activities of a project are redefined. For this purpose, a plan created, which defines the cybersecurity activities, including the definition of tailored measures.
Creating a Cybersecurity Cases It provides evidence of the achieved level of cybersecurity. Has everything necessary been done to secure the system? A regular audit Cybersecurity Assessment assesses the level of cybersecurity achieved, which leads to the decision whether the component is suitable for the Post Development can be released.
Responsibilities can transmitted will be (provided this is communicated and the relevant information is transferred). When tailoring the processes (TailoringActivities are omitted or performed differently. When activities are tailored, a justification must always be provided explaining why the adjustment is appropriate and sufficient. Activities performed by another entity in the chain are not considered tailored but rather distributed activities (distributed activities).
Planning and analysis
Which components and elements remain relevant, which need to be newly developed, and where are you using parts from previous projects? These Cybersecurity plan It can be referenced in the project plan, or it can be included in the project plan, where it is listed separately under “Cybersecurity Activities.” Here, too, responsibilities for maintaining and tracking the progress of activities must be assigned.
Such a plan clearly outlines who does what, when, why, and how. It details the activities, their objectives, and their dependencies on other parts of the project. Who is responsible? What resources are needed? The start and end points, as well as the expected duration, are just as important as identifying the deliverables.
Reusing (ReuseThe reuse of elements and components is particularly critical. While it saves time in the project, it must be assumed that nothing can be reused in exactly the same way as it was used in the past. A change always has to be introduced somewhere. Therefore, a corresponding reuse analysis evaluates, based on precisely defined parameters, whether reuse meets the security requirements.
Figure 4: The reuse analysis assesses whether reuse meets the security requirements.
Out of Context or Off the Shelf?
In some cases, you might work together with other companies or teams on a larger project. This project situation is called... Out of context. You develop something for yourself, but you know that the product will eventually be integrated with other components into a larger product. In this case, you have to rely heavily on assumptions, which are also documented and continuously reviewed and validated to ensure they remain valid.
If you buy Off-the-ShelfWhen adding components, you need clarity on whether the product is truly suitable for your specific application. Is there documentation available? Do you need to adapt it to your specifications and requirements? Sometimes, conclusions can be drawn that necessitate further decisions. For example, if it creates additional vulnerabilities and therefore poses a potential risk.
Image 5: Out of Context or Off-the-Shelf?
Cybersecurity Assessment: Are you on the right track?
During product development, it's possible to stray from the original path. This can be intentional or happen unnoticed. To prevent cybersecurity from being compromised, you need structured assessments that examine such deviations. Using the available documentation and a questionnaire, it can be quickly determined whether everything is still proceeding according to plan.
The result is the Assessment Report, This assesses whether the available work products inspire sufficient confidence for the achieved level of cybersecurity of the part or component to be considered adequate. If it is determined that a component cannot be used further in the project, it is rejected.
Figure 6: The Assessment Report evaluates the level of cybersecurity of a component.
Release for Post Development Report
Together with the Cybersecurity Case and the Assessment Report, the Requirements for post development The third pillar comprises requirements that are continuously collected and provide guidelines on where, in which product phase after the actual development work, potential attackers can cause damage. Attacks can also occur during production, for example. The relevant requirements, deemed important, are collected during the development process.
Ultimately, the question is: Does this information and these specifications meet cybersecurity requirements? Have the necessary requirements for the post-development phase been identified and verified? Ideally, the answer leads to explicit approval, for example, for the start of production.
Figure 7: With cybersecurity case, assessment report and requirements for post-development for approval of release for post-development
A cybersecurity project needs a solid foundation for clear, shared communication. Errors and misunderstandings can jeopardize such a project from the outset. Those who understand the risks and can articulate them together not only secure their project but are also well on their way to fostering a broader culture of cybersecurity.
Get the right knowledge about cybersecurity.
MicroConsult offers you professional Training and coachings to the topics Safety & Security on – in live online and in-person formats.
Part 1 This series of articles, in addition to providing an introduction to the topic, highlights the overarching cybersecurity management – goals, governance & culture.
Further information
MicroConsult Training & Coaching on the topic of Safety & Security
